Failed Results from compliance script even though rules are enabled.

[ahmedwm1]

I have the following rules enabled however when the compliance script is pushed out and checked for failed results. i am getting the following failed results consistently on all of our test machines. What is the cause of these results failing even though they are enabled, how can I get past them or do I need to create exemptions for the failed results? My goal to get our failed results down to 0 but i am noticing these failures on all the machines even if they are re-imaged.

List of Failed Results:

os_filevault_autologin_disable
os_firewall_default_deny_require
os_library_validation_enabled
os_power_nap_enable
os_safari_advertising_privacy_protection_enable
os_safari_prevent_cross-site_tracking_enable
os_safari_show_full_website_address_enable
os_safari_warn_fraudulent_website_enable
os_screensaver_timeout_loginwindow_enforce
os_ssh_fips_compliant
os_sshd_fips_compliant
os_terminal_secure_keyboard_enable
system_settings_bluetooth_menu_enable
system_settings_external_intelligence_sign_in_disable
system_settings_wifi_menu_enable

Thank You
Waqas

[jmahlman]

Are all of your config profiles deployed to the endpoints? Can you validate they're installed on one?

[jmahlman]

Can you provide screenshots of the configs installed and the settings within the configs?

[brodjieski]

A handful of those rules are not configured with a profile. Have you run the remediation part of the script?

Keep in mind that unless they are configured to be compliant, they will get marked as failed. Exemptions are only to identify those that failed, but are excluded from compliance reporting. If you are looking to exempt all of your systems from these or any of the rules, you may want to consider removing them from your baseline altogether.

[ahmedwm1]

Hello, yes I have ran the remediation script and the rules are configured to be compliant which is why i am not sure why they are still showing up as failed.

[brodjieski]

You'll want to visit these on a rule by rule basis and run the individual checks on the system manually to verify the results. Depending on the specific rule, there are various ways to approach the troubleshooting.

For example, you may have multiple configuration profiles deployed to the systems that have conflicting settings.

The log file that is generated the compliance checks are run will give you some indication as to why the control fails.

[ahmedwm1]

Thank You Brodijiski, that helped, i was able to figure out why the failed results were showing up. Seems like the when creating the baseline, the config profiles for the failed results did not get uploaded, so the checks were failing for that. I created new config profiles for the failed results and now they are no longer there. Thank you again for your help

[ahmedwm1]

As you can see the failed rules for os_sefari are all included in the baseline and are enabled, however they are still showing up as failed. The same applies to the rest of the failed rules.