TOC & Recently Viewed

Recently Viewed Topics

AUDIT_POLICY_SUBCATEGORY

This policy item checks for the values listed in auditpol /get /category:*.

The check is performed by executing cmd.exe auditpol /get /category:* via WMI.

Usage

<custom_item>

type: AUDIT_POLICY_SUBCATEGORY

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

(optional) check_type: [value]

audit_policy_subcategory: [SUBCATEGORY_POLICY_TYPE]

</custom_item>

This item uses the audit_policy_subcategory field to determine which subcategory needs be audited. The allowed SUBCATEGORY_POLICY_TYPE (s) are:

  • Security State Change
  • Security System Extension
  • System Integrity
  • IPsec Driver
  • Other System Events
  • Logon
  • Logoff
  • Account Lockout
  • IPsec Main Mode
  • IPsec Quick Mode
  • IPsec Extended Mode
  • Special Logon
  • Other Logon/Logoff Events
  • Network Policy Server
  • File System
  • Registry
  • Kernel Object
  • SAM
  • Certification Services
  • Application Generated
  • Handle Manipulation
  • File Share
  • Filtering Platform Packet Drop
  • Filtering Platform Connection
  • Other Object Access Events
  • Sensitive Privilege Use
  • Non Sensitive Privilege Use
  • Other Privilege Use Events
  • Process Creation
  • Process Termination
  • DPAPI Activity
  • RPC Events
  • Audit Policy Change
  • Authentication Policy Change
  • Authorization Policy Change
  • MPSSVC Rule-Level Policy Change
  • Filtering Platform Policy Change
  • Other Policy Change Events
  • User Account Management
  • Computer Account Management
  • Security Group Management
  • Distribution Group Management
  • Application Group Management
  • Other Account Management Events
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
  • Credential Validation
  • Kerberos Service Ticket Operations
  • Other Account Logon Events

value_type: AUDIT_SET

value_data: "No auditing", "Success", "Failure", "Success, Failure"

Note: There is a required space in “Success, Failure”.

This check is only applicable for Windows Vista/2008 Server and later. If a firewall is enabled, then in addition to adding WMI as an exception in the firewall settings, “Windows Firewall : Allow inbound remote administration exception” must also be enabled in the firewall settings using gpedit.msc. This check may not work on non-English Vista/2008 systems or systems that do not have auditpol installed.

Example

<custom_item>

type: AUDIT_POLICY_SUBCATEGORY

description: "AUDIT Security State Change"

value_type: AUDIT_SET

value_data: "success, failure"

audit_policy_subcategory: "Security State Change"

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.