Running hubble hubble.audit on Server 2012R2 results in NOVA module exception
alias454 opened this issue · 3 comments
After the gitfs failures from previous attempts, I thought pushing out the NOVA profiles may work and luckily it did. However, I am now getting this error running hubble.audit on a fresh Windows 2012R2 server that is not joined to a domain.
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID was not in __secdata__
[ERROR ] Exception occurred in nova module:
[ERROR ] Traceback (most recent call last):
File "C:\PROGRA~2\Hubble\hubblestack\extmods\modules\hubble.py", line 291, in _run_audit
ret = func(data_list, tags, labels, **kwargs)
File "C:\PROGRA~2\Hubble\hubblestack\files\hubblestack_nova\win_secedit.py", line 133, in audit
match_output,
UnboundLocalError: local variable 'match_output' referenced before assignment
{'Compliance': '15%',
'Errors': [{'\\win_secedit.py': {'data': "UnboundLocalError: local variable 'match_output' referenced before assignment",
'error': 'exception occurred'}}],
'Failure': [{'CIS-9.3.8': 'Ensure "Windows Firewall- Public- Logging- Size limit (KB)" is set to "16,384 KB or greater"'},
{'CIS-9.2.10': 'Ensure "Windows Firewall- Private- Logging- Log successful connections" is set to "Yes"'},
{'CIS-9.1.10': 'Ensure "Windows Firewall- Domain- Logging- Log successful connections" is set to "Yes"'},
This is using the Windows installer Hubble-v2.4.7-Setup.exe
Yeah, looks like it's an error in the error handling around a key missing from the registry, which is why it hasn't been caught yet. Good catch! We'll get this fixed.
Thanks for looking into it.
To get around the problem for now, I am setting match_output = 'not set' within the else block.
that at least allows all the checks to not throw an error because of an unset variable.
I'm not sure if this is interesting to you at all but adding it for completeness. This is the full error list now.
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID was not in __secdata__
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback was not in __secdata__
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId was not in __secdata__
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel was not in __secdata__
[ERROR ] name MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes was not in __secdata__
[ERROR ] name SeDenyServiceLogonRight was not in __secdata__
[ERROR ] name SeDenyBatchLogonRight was not in __secdata__
[ERROR ] name SeDenyNetworkLogonRight was not in __secdata__
[ERROR ] name SeDenyInteractiveLogonRight was not in __secdata__
[ERROR ] name SeDenyRemoteInteractiveLogonRight was not in __secdata__
[ERROR ] name MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs was not in __secdata__
[ERROR ] name ResetLockoutCount was not in __secdata__
[ERROR ] name LockoutDuration was not in __secdata__
[ERROR ] name MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel was not in __secdata__
[ERROR ] name MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy was not in __secdata__
[ERROR ] name MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser was not in __secdata__
[ERROR ] name MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD was not in __secdata__
[ERROR ] name HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal was not in __secdata__