AUDIT_POLICY_SUBCATEGORY

This policy item checks for the values listed in auditpol /get /category:*.

The check is performed by executing cmd.exe auditpol /get /category:* via WMI.

Usage

<custom_item>

type: AUDIT_POLICY_SUBCATEGORY

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

audit_policy_subcategory: [SUBCATEGORY_POLICY_TYPE]

</custom_item>

This item uses the audit_policy_subcategory field to determine which subcategory needs be audited. The allowed SUBCATEGORY_POLICY_TYPE (s) are:

  • Security State Change
  • Security System Extension
  • System Integrity
  • IPsec Driver
  • Other System Events
  • Logon
  • Logoff
  • Account Lockout
  • IPsec Main Mode
  • IPsec Quick Mode
  • IPsec Extended Mode
  • Special Logon
  • Other Logon/Logoff Events
  • Network Policy Server
  • File System
  • Registry
  • Kernel Object
  • SAM
  • Certification Services
  • Application Generated
  • Handle Manipulation
  • File Share
  • Filtering Platform Packet Drop
  • Filtering Platform Connection
  • Other Object Access Events
  • Sensitive Privilege Use
  • Non Sensitive Privilege Use
  • Other Privilege Use Events
  • Process Creation
  • Process Termination
  • DPAPI Activity
  • RPC Events
  • Audit Policy Change
  • Authentication Policy Change
  • Authorization Policy Change
  • MPSSVC Rule-Level Policy Change
  • Filtering Platform Policy Change
  • Other Policy Change Events
  • User Account Management
  • Computer Account Management
  • Security Group Management
  • Distribution Group Management
  • Application Group Management
  • Other Account Management Events
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
  • Credential Validation
  • Kerberos Service Ticket Operations
  • Other Account Logon Events

value_type: AUDIT_SET

value_data: "No auditing", "Success", "Failure", "Success, Failure"

Note: There is a required space in “Success, Failure”.

This check is only applicable for Windows Vista/2008 Server and later. If a firewall is enabled, then in addition to adding WMI as an exception in the firewall settings, “Windows Firewall : Allow inbound remote administration exception” must also be enabled in the firewall settings using gpedit.msc. This check may not work on non-English Vista/2008 systems or systems that do not have auditpol installed.

Example

<custom_item>

type: AUDIT_POLICY_SUBCATEGORY

description: "AUDIT Security State Change"

value_type: AUDIT_SET

value_data: "success, failure"

audit_policy_subcategory: "Security State Change"

</custom_item>