I'm running an evaluation of some Windows 2008 machines against the CIS Windows Server 2008 Benchmark and noticed a large amount of results with status "unknown" (instead of pass/fail), specially those ones telated to "Audit Policy". It seems like the collection mechanism cannot find or access the values, but I know they are actually there (ie.: registry, secpol, auditpol.exe, etc...) I'm running an agentless collection and using domain admin credentials.
Does anybody has observed the same?
Did you tried running the same checks from chosing same data source from RMS console pointing to the same server in a domain? if yes do you see the results or does it throws any error message?
I know this is a little old. Wondering if anyone had a fix.
I run the same evaluation with the same setup as above on Windows Server operating systems, and everything works fine. When I run an evaluation against a Windows 7 machine, (Windows 7 CIS Security Benchmark) I get a large portion (46%%) unknown. And it is not detecting the changes in the policy on the Windows 7 machine to correct failures either, even though I can log in to the machine and see the changes have been made, they are still flagged as "Fail" in the evaluation.
I am using CCS 11, and a domain admin account as Windows Credentials. I have verified that the credentials work without issue on the Windows 7 machine.
Unknown status can come from many different conditions. You will most likely need to look into the data collection job and see what messages are being reported. In addition to that you may need to turn on verbose logging on the CCS Manager and look at the logs. In most cases the logs will be in the following folder: C:\Programdata\Symantec.CSM\DPS\*.csv The folder names might have changed due to the newer version, but once verbose logging is turned on, then you will need to sift through the logs to see what is causing the issue. It is possible that there is something being blocked on your target machine. Most of the data is now collected via WMI so you will need to make sure that nothing is blocking that. As Syed had mentioned previously, try to build a query to get the same data as being requested in the check and see if you are successful.
Hope this helps
How do I turn verbose logging on CCS11?
Thanks in advance
Thank you for your reply. It turned out that the Windows firewall on the local machine was configured to block things like WMI as you mentioned. I was able to reconfigure and get the scan to work perfectly. I see you mentioned verbose logging, and another response was asking how to turn that on. I think I would have been able to find my firewall issue a little faster if I had this enabled. So my question is the same as the question below. How do you enable verbose logging?
Please refer to CCS_User_Guide.pdf page 425 and 708 for more clarity.
Basically you need to find the desired config file and edit the XML and find the log level and change it. Here are a couple of links for your reference:
For Application Server:
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Application Server
For CCS Manager:
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\DPS
For Directory Server Support
X:\program files (x86)\Symantec\CCS\Reporting and Analytics\Directory Support Service
These are all XML files so you will need to look into the text and find where the log levels are set to change how the logs are performing. Most logs can be found here for Windows Server 2008+:
C:\ProgramData\Symantec.CSM\Logs\[folder of service/task]
When you change the log levels the change will be immediate and you will not need to stop/start the given service.
Hope this helps.