Problem collecting folder effective rights to sid:S-1-5-18 ( System)
|
|
Moreno Gontijo
|
Hi,
I´m with a problem while trying to collect effectives rights using "fileeffectiverights53" to windows. I Changed the permission of folder NTDS (C:\Windows\NTDS) as below: Administrators - full controll. System - read & execute. Local service - read & execute. I tryed to collect for 3 sid´s: S-1-5-32-544 (Administrators) S-1-5-18 ( System) S-1-5-19 ( Local service ) But the system characteristics is as follow: <fileeffectiverights_item id="2" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\NTDS</path> <filename/> <trustee_sid>S-1-5-32-544</trustee_sid> <standard_delete datatype="boolean">1</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">1</standard_write_dac> <standard_write_owner datatype="boolean">1</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">1</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">1</file_write_data> <file_append_data datatype="boolean">1</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">1</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">1</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">1</file_write_attributes> </fileeffectiverights_item> <fileeffectiverights_item id="3" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\NTDS</path> <filename/> <trustee_sid>S-1-5-18</trustee_sid> <standard_delete datatype="boolean">1</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">1</standard_write_dac> <standard_write_owner datatype="boolean">1</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">1</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">1</file_write_data> <file_append_data datatype="boolean">1</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">1</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">1</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">1</file_write_attributes> </fileeffectiverights_item> <fileeffectiverights_item id="4" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\NTDS</path> <filename/> <trustee_sid>S-1-5-19</trustee_sid> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">0</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">0</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights_item> Why the rights of sid S-1-5-18 ( fileeffectiverights_item id="3" ) is full control instead off read & execute? Is this the bug of ovaldi? In attach is the definitions.xml that i used. Tanks, Moreno. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. <?xml version="1.0" encoding="ISO8859-1"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.5</oval:schema_version> <oval:timestamp>2009-07-20T21:13:42.715-04:00</oval:timestamp> </generator> <!-- ========================================= --> <!-- ========== 1. DEFINITIONS ========== --> <!-- ========================================= --> <definitions> <definition id="oval:gov.nist.fdcc.win2008:def:35636" version="1" class="compliance"> <metadata> <title>As permissões NTFS para os registros de auditoria ("logs") gerados pelo banco de dados ("ntdis.dit") do serviço "Active Directory" devem ser configuradas de forma a evitar acessos indevidos.</title> <description> Os registros de auditoria ("logs") gerados pelo banco de dados ("ntdis.dit") do serviço "Active Directory" podem conter informações sensíveis sobre o serviço. Recomenda-se que as permissões de acesso a estes registros sejam configuradas de forma a evitar acessos indevidos, evitando, assim, a obtenção de informações sensíveis sobre o serviço e, conseqüentemente, a sua utilização em futuros ataques. </description> </metadata> <criteria> <criterion test_ref="oval:gov.nist.fdcc.win2008:tst:35636" comment="Coletar as permissões do NTFS - Full Control"/> <criterion test_ref="oval:gov.nist.fdcc.win2008:tst:3563602" comment="Coletar as permissões do NTFS"/> </criteria> </definition> </definitions> <!-- ========================================= --> <!-- ========== 2. TESTS ========== --> <!-- ========================================= --> <tests> <registry_test id="oval:gov.nist.fdcc.win2008:tst:35636" version="1" comment="Coletar as permissões" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:gov.nist.fdcc.win2008:obj:35636"/> <state state_ref="oval:gov.nist.fdcc.win2008:ste:4111"/> </registry_test> <registry_test id="oval:gov.nist.fdcc.win2008:tst:3563602" version="1" comment="Coletar as permissões" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:gov.nist.fdcc.win2008:obj:3563602"/> <state state_ref="oval:gov.nist.fdcc.win2008:ste:4113"/> </registry_test> </tests> <!-- ========================================= --> <!-- ========== 3. OBJECTS ========== --> <!-- ========================================= --> <objects> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:35636" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION"> <set> <object_reference>oval:gov.nist.fdcc.win2008:obj:3563601</object_reference> <object_reference>oval:gov.nist.fdcc.win2008:obj:3563603</object_reference> </set> </set> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3563601" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5112"/> <filename xsi:nil="true"></filename> <trustee_sid operation="pattern match">S-1-5-32-544</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3563602" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5112"/> <filename xsi:nil="true"></filename> <trustee_sid operation="pattern match">S-1-5-19</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3563603" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5112"/> <filename xsi:nil="true"></filename> <trustee_sid operation="pattern match">S-1-5-18</trustee_sid> </fileeffectiverights53_object> <registry_object id="oval:gov.nist.fdcc.win2008:obj:35628" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SYSTEM\CurrentControlSet\Services\NTDS\Parameters</key> <name>Database log files path</name> </registry_object> </objects> <!-- ========================================= --> <!-- ========== 4. STATES ========== --> <!-- ========================================= --> <states> <fileeffectiverights53_state id="oval:gov.nist.fdcc.win2008:ste:4111" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Permissão Full Control"> <standard_delete datatype="boolean">1</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_synchronize datatype="boolean">1</standard_synchronize> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">1</generic_write> <generic_execute datatype="boolean">1</generic_execute> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">1</file_write_data> <file_append_data datatype="boolean">1</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">1</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">1</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">1</file_write_attributes> </fileeffectiverights53_state> <fileeffectiverights53_state id="oval:gov.nist.fdcc.win2008:ste:4113" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Permissão Create Folders / append data"> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">0</standard_read_control> <generic_read datatype="boolean">0</generic_read> <generic_write datatype="boolean">0</generic_write> <generic_execute datatype="boolean">0</generic_execute> <file_read_data datatype="boolean">0</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">1</file_append_data> <file_read_ea datatype="boolean">0</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">0</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">0</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights53_state> </states> <!-- ========================================= --> <!-- =========== 5. VARIABLES ============ --> <!-- ========================================= --> <variables> <local_variable id="oval:gov.nist.fdcc.win2008:var:5112" version="1" comment=" " datatype="string"> <object_component object_ref="oval:gov.nist.fdcc.win2008:obj:35628" item_field="value"/> </local_variable> </variables> </oval_definitions> Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
Danny Haynes
|
Some javascript/style in this post has been disabled (why?)
Hi Moreno, I do not believe that this is
a bug in the OVAL Interpreter. It seems that the System account (S-1-5-18) is
a hidden member of the Administrators group (http://technet.microsoft.com/en-us/library/cc778824(WS.10).aspx).
As a result, if you change the rights of the System account to allow only read
and execute, it will get the rights of read and execute as well as the full
control rights of the Administrators group (S-1-5-32-544). This results in the
System account having full control rights even though you changed its rights to
read and execute. So, in order to limit the rights of the System account, you
will have to deny the rights that you do not want the System account to have.
Thus, you will need to deny all of the rights that are associated with full
control rights but not associated with read and execute rights. The rights
that are associated with full control and not read and execute are the create
files/write data, create folders/append data, write attributes, write extended
attributes, delete subfolders and files, delete, change permissions, and take
ownership rights. Once I denied these rights, I was able to get the expected
results. Please see http://support.microsoft.com/kb/308419
for more information on which rights correspond to full control, modify, read
and execute, list folder contents, read, and write as well as how to configure
these rights. Let me know if it this does not work for you. Thanks, Danny From: moreno gontijo
[mailto:[hidden email]] Hi, |
||||||||||||||||
|
Moreno Gontijo
|
Hi Danny,
The answer solved my problem. Thanks Moreno On Wed, Oct 14, 2009 at 10:23 AM, Haynes, Dan <[hidden email]> wrote:
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
