Objective:
- Audit “Advanced Audit Policy Configuration Settings”
- Hardening / Configuring “Advanced Audit Policy Configuration Settings”
Overview
“Advanced Audit Policy Configuration Settings” can be configured via Group Policy.
Basic and advanced audit policy configurations should not be mixed.
Force the use of “Audit Policy Subcategory Settings”.
Available Settings
Category | Policy Name | Stigviewer Finding ID Success |
Stigviewer Finding ID Failure |
Account Logon | Audit Credential Validation | V-26529 | V-26530 |
Account Logon | Audit Kerberos Authentication Service | – | – |
Account Logon | Audit Kerberos Service Ticket Operations | – | – |
Account Logon | Audit Other Account Logon Events | – | – |
Account Management | Audit Application Group Management | – | – |
Account Management | Audit Computer Account Management | V-26531 | V-26532 |
Account Management | Audit Distribution Group Management | – | – |
Account Management | Audit Other Account Management Events | V-26533 | V-26534 |
Account Management | Audit Security Group Management | V-26535 | V-26536 |
Account Management | Audit User Account Management | V-26537 | V-26538 |
Detailed Tracking | Audit DPAPI Activity | – | – |
Detailed Tracking | Audit PNP Activity | V-63451 | – |
Detailed Tracking | Audit Process Creation | V-26539 | – |
Detailed Tracking | Audit Process Termination | – | – |
Detailed Tracking | Audit RPC Events | – | – |
Detailed Tracking | Audit Token Right Adjusted | – | – |
DS Access | Audit Detailed Directory Service Replication | – | – |
DS Access | Audit Directory Service Access | V-33663 | V-33664 |
DS Access | Audit Directory Service Changes | V-33665 | V-33666 |
DS Access | Audit Directory Service Replication | – | – |
Logon/Logoff | Audit Account Lockout | – | – |
Logon/Logoff | Audit User / Device Claims | – | – |
Logon/Logoff | Audit Group Membership | V-63457 | |
Logon/Logoff | Audit IPsec Extended Mode | – | – |
Logon/Logoff | Audit IPsec Main Mode | – | – |
Logon/Logoff | Audit IPsec Quick Mode | – | – |
Logon/Logoff | Audit Logoff | V-26540 | – |
Logon/Logoff | Audit Logon | V-26541 | V-26542 |
Logon/Logoff | Audit Network Policy Server | – | – |
Logon/Logoff | Audit Other Logon/Logoff Events | – | – |
Logon/Logoff | Audit Special Logon | V-26543 | – |
Object Access | Audit Application Generated | – | – |
Object Access | Audit Certification Services | – | – |
Object Access | Audit Detailed File Share | – | – |
Object Access | Audit File Share | – | – |
Object Access | Audit File System | – | – |
Object Access | Audit Filtering Platform Connection | – | – |
Object Access | Audit Filtering Platform Packet Drop | – | – |
Object Access | Audit Handle Manipulation | – | – |
Object Access | Audit Kernel Object | – | – |
Object Access | Audit Other Object Access Events | – | – |
Object Access | Audit Registry | – | – |
Object Access | Audit Removable Storage | – | – |
Object Access | Audit SAM | – | – |
Object Access | Audit Central Access Policy Staging | – | – |
Policy Change | Audit Audit Policy Change | V-26546 | V-26547 |
Policy Change | Audit Authentication Policy Change | V-26548 | – |
Policy Change | Audit Authorization Policy Change | V-57633 | V-57635 |
Policy Change | Audit Filtering Platform Policy Change | – | – |
Policy Change | Audit MPSSVC Rule-Level Policy Change | – | – |
Policy Change | Audit Other Policy Change Events | – | – |
Privilege Use | Audit Non Sensitive Privilege Use | – | – |
Privilege Use | Audit Other Privilege Use Events | – | – |
Privilege Use | Audit Sensitive Privilege Use | V-26549 | V-26550 |
System | Audit IPsec Driver | V-26551 | V-26552 |
System | Audit Other System Events | – | – |
System | Audit Security State Change | V-26553 | V-26554 |
System | Audit Security System Extension | V-26555 | V-26556 |
System | Audit System Integrity | V-26557 | V-26558 |
Global Object Access Auditing | File system | – | – |
Global Object Access Auditing | Registry | – | – |
Commandline check
PS C:\WINDOWS\system32> auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension Success and Failure System Integrity Success and Failure IPsec Driver Success and Failure Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events Success and Failure Network Policy Server No Auditing User / Device Claims No Auditing Group Membership Success Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Removable Storage Success and Failure Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use Success and Failure Detailed Tracking Process Creation Success Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Plug and Play Events Success Token Right Adjusted Events No Auditing Policy Change Audit Policy Change Success and Failure Authentication Policy Change Success Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management No Auditing Application Group Management Success and Failure Other Account Management Events Success and Failure User Account Management Success and Failure DS Access Directory Service Access No Auditing Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service No Auditing Credential Validation Success and Failure |
Nessus audit file check
Nessus can verify the “Advanced Audit Policy Configuration Settings” via an auditfile.
An check example is show below:
<custom_item> type : AUDIT_POLICY_SUBCATEGORY description : "CCE-37741-6:The system must be configured to audit Account Logon - Credential Validation Successes and Failure" info : "Windows Server 2012 R2 Server" info : "STIG V-26529" info : "STIG V-26530" value_type : AUDIT_SET value_data : "Success, Failure" audit_policy_subcategory : "Credential Validation" </custom_item> |