WMI_POLICY

This check queries the Windows WMI database for values specified within the namespace/class/attribute.

Either key values may be extracted or attribute names may be enumerated depending on the syntax used.

Usage

<custom_item>

type: WMI_POLICY

description: "Test for WMI Value"

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

wmi_namespace: ["namespace"]

wmi_request: ["request select statement"]

wmi_attribute: ["attribute"]

wmi_key: ["key"]

</custom_item>

The allowed types are:

wmi_namespace: "namespace"

wmi_request: "WMI Query"

wmi_attribute: "Name"

wmi_key: "Name"

wmi_option: option

wmi_exclude_result: "result"

only_show_query_output: YES

check_type: CHECK_NOT_REGEX

If you choose from a service configuration with duplicate values on the system (e.g., “MSFTPSVC/83207416” and “MSFTPSVC/2”) the request will extract the chosen attribute from both. If one of them does not match the policy value, the wmi_key will be added to the report to indicate which one has failed. The wmi_enum field allows you to enumerate configuration names within a namespace for comparison or policy value checking.

By default, if a WMI query returns no output, the check reports an error. This behavior can be changed and the check can be forced to report a PASS if wmi_option is set to CAN_BE_NULL. By setting only_show_query_output to YES, the output of the WMI query is now included in the Nessus report. Using the check_type tag, you can have a PASS result as long as a certain string does not exist in the output. See the examples below.

Other Considerations:

  • WMI attributes need to be explicitly specified. For example, select * from foo will not work.
  • Attributes that have no value set will not be reported.
  • The case of the attributes should be exactly as it appears in Microsoft documentation. For example, the attribute HandleCount cannot be Handlecount or handlecount.
  • Values of array type are not included in the result.

Examples

<custom_item>

type: WMI_POLICY

description: "IIS test"

value_type: POLICY_DWORD

value_data: 0

wmi_namespace: "root/MicrosoftIISv2"

wmi_request: "SELECT Name, UserIsolationMode FROM IIsFtpServerSetting"

wmi_attribute: "UserIsolationMode"

wmi_key: "Name"

</custom_item>

If there are two FTP service configurations on your system (“MSFTPSVC/83207416” and “MSFTPSVC/2”) the request will extract the “UserIsolationMode” attribute from both. If one of them does not match the policy value (0) the wmi_key (in this case) will be added to the report, indicating which one has failed.

<custom_item>

type: WMI_POLICY

description: "IIS test2"

value_type: POLICY_MULTI_TEXT

value_data: "MSFTPSVC/83207416" && "MSFTPSVC/2"

wmi_namespace: "root/MicrosoftIISv2"

wmi_request: "SELECT Name FROM IIsFtpServerSetting"

wmi_attribute: "Name"

wmi_key: "Name"

wmi_option: WMI_ENUM

</custom_item>

This example checks that there are two valid configuration names as specified in value_data. If you wish to learn more about the WMI namespace and associated attributes, Microsoft’s WMI CIM Studio is a valuable tool available at the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314&displaylang=en

<custom_item>

type: WMI_POLICY

description: "List All Windows Processes - except svchost.exe and iPodService.exe"

value_type: POLICY_TEXT

value_data: ""

wmi_namespace: "root/cimv2"

wmi_exclude_result: "svchost.exe,iPodService.exe"

wmi_request: "select Caption,HandleCount,ThreadCount from Win32_Process"

only_show_query_output: YES

</custom_item>

This example will list all Windows processes, but remove instances of svchost.exe and iPodService.exe.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.