Win10 "Advanced Audit Policy" Rules Not Applied #1533
Description
Describe the bug
There are several1 Windows 10 audit policy changes -- most of which introduces in v4.28.0/PR #1519 -- that are not currently applied by PowerSTIG. They are assigned to dscresource="None" rather than dscresource="AuditPolicySubcategory", and I wrote a patch for WindowsClient-10-3.5.xml to correct that categorization and attached it below (in "Expected Behaviour").
Regardless, my manual modification to the WindowsClient xml file is manual and we should probably address the underlying issue causing this miscategorization.
A common pattern between these unconfigured STIGs is that these are "Advanced Audit Policy Configurations" which have Fix Text of the flavor:
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Handle Manipulation" with "Failure" selected.
This differs from the text found in other AuditPolicySubcategory items, which often leverage auditpol.exe (Example). Perhaps this observation can be used to correct whatever part of the STIG conversion code is necessary for adding items to the AuditPolicySubcategory resource.
NOTE: Despite the differign fix/check text, these "Advanced Audit Policy Configuration" items can be viewed and configured through Auditpol.exe and via the same code paths as AuditPolicySubcategory items.
To Reproduce
As of 4.28.0, the items in the range V-278918-V-278925 (new to v4.28) and V-257589 (pre-existing) cannot be applied automatically due to the misconfiguration described above. If PowerSTIG v4.28.0 is run without any additional configuration, those items will not be configured to match the STIG baseline and will remain open if they were open before.
Expected behavior
All of these audit policy changes should be associated with a DSC resource, perhaps AuditPolicySubcategory, and should be configured when PowerSTIG is run. Currently no such configuration happens, and the policies do not have an associated DSC resource.
Below I have attached a diff WindowsClient-10-3.5.xml that adds those 9 items to the AuditPolicySubcategory DSC resource for correct configuration.
Patch for `WindowsClient-10-3.5.xml`
diff --git b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Processed/WindowsClient-10-3.5.xml a/./OfflineModules/PowerSTIG/4.28.0/StigData/Processed/WindowsClient-10-3.5.xml
index 23f26ab..fcb2fa9 100644
--- b/./OfflineModules_clean/PowerSTIG/4.28.0/StigData/Processed/WindowsClient-10-3.5.xml
+++ a/./OfflineModules/PowerSTIG/4.28.0/StigData/Processed/WindowsClient-10-3.5.xml
@@ -992,6 +992,154 @@ Policy Change >> MPSSVC Rule-Level Policy Change - Failure
</RawString>
<Subcategory>MPSSVC Rule-Level Policy Change</Subcategory>
</Rule>
+
+ <Rule id="V-278918" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Failure</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <Ensure>Present</Ensure>
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit File System auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System.
+
+If "Audit File System" is not set to "Failure", this is a finding.</RawString>
+ <Subcategory>File System</Subcategory>
+ </Rule>
+ <Rule id="V-278919" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Success</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit File System auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System.
+
+If "Audit File System" is not set to "Success", this is a finding.</RawString>
+ <Subcategory>File System</Subcategory>
+ </Rule>
+ <Rule id="V-278920" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Failure</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Handle Manipulation auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation.
+
+If "Audit Handle Manipulation" is not set to "Failure", this is a finding.</RawString>
+ <Subcategory>Handle Manipulation</Subcategory>
+ </Rule>
+ <Rule id="V-278921" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Success</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Handle Manipulation auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation.
+
+If "Audit Handle Manipulation" is not set to "Success", this is a finding.</RawString>
+ <Subcategory>Handle Manipulation</Subcategory>
+ </Rule>
+ <Rule id="V-278922" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Success</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Registry auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry.
+
+If "Audit Registry" is not set to "Success", this is a finding.</RawString>
+ <Subcategory>Registry</Subcategory>
+ </Rule>
+ <Rule id="V-278923" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Failure</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Registry auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry.
+
+If "Audit Registry" is not set to "Failure", this is a finding.</RawString>
+ <Subcategory>Registry</Subcategory>
+ </Rule>
+ <Rule id="V-278924" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Success</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Sensitive Privilege Use auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use.
+
+If "Audit Sensitive Privilege Use" is not set to "Success", this is a finding.</RawString>
+ <Subcategory>Sensitive Privilege Use</Subcategory>
+ </Rule>
+ <Rule id="V-278925" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Success</AuditFlag>
+ <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Verify that Audit Sensitive Privilege Use auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use.
+
+If "Audit Sensitive Privilege Use" is not set to "Failure", this is a finding.</RawString>
+ <Subcategory>Sensitive Privilege Use</Subcategory>
+ </Rule>
+ <Rule id="V-257589" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="AuditPolicySubcategory">
+ <AuditFlag>Failure</AuditFlag>
+ <Description><VulnDiscussion>When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
+
+These audit events can assist in understanding how a computer is being used and tracking user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
+ <DuplicateOf />
+ <IsNullOrEmpty>False</IsNullOrEmpty>
+ <LegacyId>
+ </LegacyId>
+ <OrganizationValueRequired>False</OrganizationValueRequired>
+ <OrganizationValueTestString />
+ <RawString>Ensure Audit Process Creation auditing has been enabled:
+
+Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation".
+
+If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
+ <Subcategory>Process Creation</Subcategory>
+ </Rule>
</AuditPolicyRule>
<AuditSettingRule dscresourcemodule="AuditSystemDsc">
<Rule id="V-220706" severity="high" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="AuditSetting">
@@ -1656,22 +1804,6 @@ If IE11 is installed or not disabled on Windows 10 semi-annual channel, this is
If IE11 is installed on a unsupported operating system and is enabled or installed, this is a finding.
For more information, visit: https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer-</RawString>
- </Rule>
- <Rule id="V-257589" severity="medium" conversionstatus="pass" title="SRG-OS-000037-GPOS-00015" dscresource="None">
- <Description><VulnDiscussion>When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it.
-
-These audit events can assist in understanding how a computer is being used and tracking user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Ensure Audit Process Creation auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation".
-
-If "Audit Process Creation" is not set to "Failure", this is a finding.</RawString>
</Rule>
<Rule id="V-257593" severity="medium" conversionstatus="pass" title="SRG-OS-000480-GPOS-00227" dscresource="None">
<Description><VulnDiscussion>Having portproxy enabled or configured in Windows 10 could allow a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
@@ -1727,118 +1859,6 @@ If the Windows 10 system is not receiving policy from either Group Policy or an
This is NA for standalone, nondomain-joined systems.</RawString>
</Rule>
- <Rule id="V-278918" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit File System auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System.
-
-If "Audit File System" is not set to "Failure", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278919" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit File System auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System.
-
-If "Audit File System" is not set to "Success", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278920" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Handle Manipulation auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation.
-
-If "Audit Handle Manipulation" is not set to "Failure", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278921" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Handle Manipulation auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Handle Manipulation.
-
-If "Audit Handle Manipulation" is not set to "Success", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278922" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Registry auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry.
-
-If "Audit Registry" is not set to "Success", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278923" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Registry auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry.
-
-If "Audit Registry" is not set to "Failure", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278924" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Sensitive Privilege Use auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use.
-
-If "Audit Sensitive Privilege Use" is not set to "Success", this is a finding.</RawString>
- </Rule>
- <Rule id="V-278925" severity="medium" conversionstatus="pass" title="SRG-OS-000062-GPOS-00031" dscresource="None">
- <Description><VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description>
- <DuplicateOf />
- <IsNullOrEmpty>False</IsNullOrEmpty>
- <LegacyId>
- </LegacyId>
- <OrganizationValueRequired>False</OrganizationValueRequired>
- <OrganizationValueTestString />
- <RawString>Verify that Audit Sensitive Privilege Use auditing has been enabled:
-
-Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> Audit Sensitive Privilege Use.
-
-If "Audit Sensitive Privilege Use" is not set to "Failure", this is a finding.</RawString>
- </Rule>
</ManualRule>
<PermissionRule dscresourcemodule="AccessControlDsc">
<Rule id="V-220717.a" severity="medium" conversionstatus="pass" title="SRG-OS-000312-GPOS-00122" dscresource="NTFSAccessEntry">Additional items, Future work
Unless the process for updating these XML files is manual, there is probably some conversion process that needs to be updated to ensure that the "Advanced Audit Policy" items are added to the correct DSC Resource. While my patched file does work, it was a manual modification.
What is the current procedure for converting STIG XML files to the XML files consumed by PowerSTIG? The "Convert" wiki page linked in the README appears to be non-existant. It generally would be very useful to me to have the documentation for updating PowerSTIG XMLs in-hand, but also it would help me determine what cide paths need to be updated to fix this issue.
@MrAutomater can you point me in the right direction w.r.t. XML conversion guides? I assume that you are familiar with these procedures.
Footnotes
-
IDs in the range V-278918-V-278925 and V-257589. V-257589 predates Update PowerStig to parse/apply Microsoft Windows 10 STIG - Ver 3, Rel 5 #1512. ↩