Re: Audit Policies

What are you using to produce this report, what options, etc?

Re: Audit Policies

Download the current version of DumpSec, which should be 2.8.6. I think this is a bug caused by new policies and DumpSec was not originally designed to know what the new policies are.

Re: Audit Policies

I have slightly the same problem with reports produced by DumpSec 2.8.6.

Audit Policies I get with DumpSec are:
Restart and Shutdown
Logon and Logoff
File/Object Access
Use of User Right
Process Tracking
Security Policy Changes
User/Group Management
User/Group Management
User/Group Management

On the other hand, Audit Policies in Windows are:
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events

How do the two match? I was able to work out the followings:
Use of User Right = Audit privilege use
Process Tracking = Audit process tracking
File/Object Access = Audit object access
but I'm quite confused about the others.

Can you advise plese?

Re: Audit Policies

I've realised that the reports were actually made with DumpSec 2.8.1'h' - "User/Group Management" isn't tripled in 2.8.6. Still the naming scheme differs from what Windows uses, but after a "brainstorming" I believe the mapping is the following:

Windows = Dumpsec 2.8.6 = Dumpsec older version
Account logon events = Privileged Account Logon = User/Group Management3
Account management = User/Group Management = User/Group Management1
Directory service access = Directory Service Access = User/Group Management2
Logon events = Logon and Logoff = Logon and Logoff
Object access = File/Object Access = File/Object Access
Policy changes = Security Policy Changes = Security Policy Changes
Privilege use = Use of User Right = Use of User Right
Process tracking = Process Tracking =Process Tracking
System events = Restart and Shutdown = Restart and Shutdown

Let me know if I'm wrong

Re: Audit Policies

These values come from a Windows structure named POLICY_AUDIT_EVENT_TYPE, which is documented here:
http://msdn.microsoft.com/en-us/library/ms721903.aspx

The Windows to DumpSec mapping is as follows:

AuditCategoryLogon = "Logon and Logoff"
AuditCategoryObjectAccess = "File/Object Access"
AuditCategoryPrivilegeUse = "Use of User Right"
AuditCategoryAccountManagement = "User/Group Management"
AuditCategoryPolicyChange = "Security Policy Changes"
AuditCategorySystem "Restart and Shutdown"
AuditCategoryDetailedTracking = "Process Tracking"
AuditCategoryDirectoryServiceAccess = "Directory Service Access"
AuditCategoryAccountLogon = "Privileged Account Logon"