Objective:

Audit “Advanced Audit Policy Configuration Settings”
Hardening / Configuring “Advanced Audit Policy Configuration Settings”

Overview

“Advanced Audit Policy Configuration Settings” can be configured via Group Policy.

Basic and advanced audit policy configurations should not be mixed.
Force the use of “Audit Policy Subcategory Settings”.

Available Settings

Category	Policy Name	Stigviewer Finding ID Success	Stigviewer Finding ID Failure
Account Logon	Audit Credential Validation	V-26529	V-26530
Account Logon	Audit Kerberos Authentication Service	–	–
Account Logon	Audit Kerberos Service Ticket Operations	–	–
Account Logon	Audit Other Account Logon Events	–	–
Account Management	Audit Application Group Management	–	–
Account Management	Audit Computer Account Management	V-26531	V-26532
Account Management	Audit Distribution Group Management	–	–
Account Management	Audit Other Account Management Events	V-26533	V-26534
Account Management	Audit Security Group Management	V-26535	V-26536
Account Management	Audit User Account Management	V-26537	V-26538
Detailed Tracking	Audit DPAPI Activity	–	–
Detailed Tracking	Audit PNP Activity	V-63451	–
Detailed Tracking	Audit Process Creation	V-26539	–
Detailed Tracking	Audit Process Termination	–	–
Detailed Tracking	Audit RPC Events	–	–
Detailed Tracking	Audit Token Right Adjusted	–	–
DS Access	Audit Detailed Directory Service Replication	–	–
DS Access	Audit Directory Service Access	V-33663	V-33664
DS Access	Audit Directory Service Changes	V-33665	V-33666
DS Access	Audit Directory Service Replication	–	–
Logon/Logoff	Audit Account Lockout	–	–
Logon/Logoff	Audit User / Device Claims	–	–
Logon/Logoff	Audit Group Membership	V-63457
Logon/Logoff	Audit IPsec Extended Mode	–	–
Logon/Logoff	Audit IPsec Main Mode	–	–
Logon/Logoff	Audit IPsec Quick Mode	–	–
Logon/Logoff	Audit Logoff	V-26540	–
Logon/Logoff	Audit Logon	V-26541	V-26542
Logon/Logoff	Audit Network Policy Server	–	–
Logon/Logoff	Audit Other Logon/Logoff Events	–	–
Logon/Logoff	Audit Special Logon	V-26543	–
Object Access	Audit Application Generated	–	–
Object Access	Audit Certification Services	–	–
Object Access	Audit Detailed File Share	–	–
Object Access	Audit File Share	–	–
Object Access	Audit File System	–	–
Object Access	Audit Filtering Platform Connection	–	–
Object Access	Audit Filtering Platform Packet Drop	–	–
Object Access	Audit Handle Manipulation	–	–
Object Access	Audit Kernel Object	–	–
Object Access	Audit Other Object Access Events	–	–
Object Access	Audit Registry	–	–
Object Access	Audit Removable Storage	–	–
Object Access	Audit SAM	–	–
Object Access	Audit Central Access Policy Staging	–	–
Policy Change	Audit Audit Policy Change	V-26546	V-26547
Policy Change	Audit Authentication Policy Change	V-26548	–
Policy Change	Audit Authorization Policy Change	V-57633	V-57635
Policy Change	Audit Filtering Platform Policy Change	–	–
Policy Change	Audit MPSSVC Rule-Level Policy Change	–	–
Policy Change	Audit Other Policy Change Events	–	–
Privilege Use	Audit Non Sensitive Privilege Use	–	–
Privilege Use	Audit Other Privilege Use Events	–	–
Privilege Use	Audit Sensitive Privilege Use	V-26549	V-26550
System	Audit IPsec Driver	V-26551	V-26552
System	Audit Other System Events	–	–
System	Audit Security State Change	V-26553	V-26554
System	Audit Security System Extension	V-26555	V-26556
System	Audit System Integrity	V-26557	V-26558
Global Object Access Auditing	File system	–	–
Global Object Access Auditing	Registry	–	–

Commandline check

PS C:\WINDOWS\system32> auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
  User / Device Claims                    No Auditing
  Group Membership                        Success
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       Success and Failure
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 Success and Failure
Detailed Tracking
  Process Creation                        Success
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Plug and Play Events                    Success
  Token Right Adjusted Events             No Auditing
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           No Auditing
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
  User Account Management                 Success and Failure
DS Access
  Directory Service Access                No Auditing
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   Success and Failure

PS C:\WINDOWS\system32> auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension Success and Failure System Integrity Success and Failure IPsec Driver Success and Failure Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events Success and Failure Network Policy Server No Auditing User / Device Claims No Auditing Group Membership Success Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Removable Storage Success and Failure Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use Success and Failure Detailed Tracking Process Creation Success Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Plug and Play Events Success Token Right Adjusted Events No Auditing Policy Change Audit Policy Change Success and Failure Authentication Policy Change Success Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management No Auditing Application Group Management Success and Failure Other Account Management Events Success and Failure User Account Management Success and Failure DS Access Directory Service Access No Auditing Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service No Auditing Credential Validation Success and Failure

Nessus audit file check

Nessus can verify the “Advanced Audit Policy Configuration Settings” via an auditfile.
An check example is show below:

<custom_item>
 type : AUDIT_POLICY_SUBCATEGORY
 description : "CCE-37741-6:The system must be configured to audit Account Logon - Credential Validation Successes and Failure"
 info : "Windows Server 2012 R2 Server"
 info : "STIG V-26529"
 info : "STIG V-26530"
 value_type : AUDIT_SET
 value_data : "Success, Failure"
 audit_policy_subcategory : "Credential Validation"
</custom_item>

References

Advanced Security Audit Policy Settings (Technet)

VerifyIT

VerifyIT

Advanced Audit Policy Configuration Settings (Windows)

Objective:

Overview

Available Settings

Commandline check

Nessus audit file check

References

Objective:

Overview

Available Settings

Commandline check

Nessus audit file check

References

Share this: