CIS-CAT Pro Assessor halts at AUDIT_SUCCESS_FAILURE with a "Premature end of file" error for Windows assessments
Product Name
CIS-CAT Pro Assessor v4
Product Version
any
Date
Apr 15, 2025
Problem
A local or remote CIS-CAT Pro Assessor v4 scan on Windows 10/11 or Windows Server 2016/2019/2022 systems halts at the following check:
-- [obj:6869921] Ensure 'credential_validation' is 'Equals' to 'AUDIT_SUCCESS_FAILURE'......
[Fatal Error] :1:1: Premature end of file.
Disconnecting Session.The (Assessor directory)/logs/assessor-cli.log file contains the following corresponding entries:
INFO org.cisecurity.session.impl.BaseSession - Stderr Line File "ciscat.py", line 48, in <module>
INFO org.cisecurity.session.impl.BaseSession - Stderr Line File "ciscat.py", line 43, in main
INFO org.cisecurity.session.impl.BaseSession - Stderr Line File "lib_ciscat.py", line 40, in oval_auditeventsubcategories
INFO org.cisecurity.session.impl.BaseSession - Stderr Line File "AuditPolicy.py", line 244, in oval_auditeventsubcategories
INFO org.cisecurity.session.impl.BaseSession - Stderr Line KeyError: '{0CCE924B-69AE-11D9-BED3-505054503030}'
INFO org.cisecurity.session.impl.BaseSession - Stderr Line [hostname:ERROR] Failed to execute script 'ciscat' due to unhandled exception!
INFO org.cisecurity.assessor.cli.Assessor - Assessment Complete; Disconnecting Session..Or for assessments launched via CIS-CAT Pro Dashboard in the (Dashboard directory)/logs/ccpdlogs/assessor.log file:
INFO org.cisecurity.session.impl.BaseSession - There was no stdout to parse to XML for command --> ""C:\Windows\temp\ccpa-temp-20250415T104411358\ciscat.exe" "oval_auditeventsubcategories""
INFO cisecurity.tools.ciscatdb.assessor.AssessorService - Assessment Error, disconnecting session: Cannot get property 'auditeventpolicysubcategories_item' on null object
INFO cisecurity.tools.ciscatdb.assessor.AssessorService - Assessment Complete; Disconnecting Session...In all cases connected to this issue, the KeyError: '{0CCE924B-69AE-11D9-BED3-505054503030}' or oval_auditeventsubcategories presence (in case of Dashboard) in the log file will be consistent.
Solution
This issue is caused by a recently published Windows Update (April 8, 2025- KB5055528 and KB5055519), which affects Audit events and their reporting capacity from the locally configured system policy. CIS-CAT Pro Assessor and similar tools rely on this feature to capture evidence data for Recommendation 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'.
The issue introduced by the above KBs has been addressed in the latest available Windows patch release as of 4/11/2025; these out-of-band hotfixes are not yet available via Windows Update, but can be installed on affected systems via the provided Microsoft Catalog .msu files:
This issue is resolved in Windows updates released April 10, 2025 (the Resolved KBs listed below), and later. We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.
Resolved KBs
Client Versions
Server Versions
These .msu files can be downloaded directly at the below Catalog links for their respective OS:
OS | Catalog Link to KB |
|---|---|
Windows 11 22H2 & 23H2 | https://www.catalog.update.microsoft.com/Search.aspx?q=KB5058919 |
Windows Server 2022 | https://www.catalog.update.microsoft.com/Search.aspx?q=KB5058920 |
Windows Server 2019 | https://www.catalog.update.microsoft.com/Search.aspx?q=KB5058922 |
Windows Server 2016 | https://www.catalog.update.microsoft.com/Search.aspx?q=KB5058921 |
After installing the update, the scan should then complete again as expected.
Keywords; Assessor AUDIT_SUCCESS_FAILURE Windows “Premature end of file” 0CCE924B-69AE-11D9-BED3-505054503030 AuditPolicy.py
Content by Label