Announcement

Collapse
No announcement yet.

Audit Policies

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit Policies

    I am cheking the audit policies, and i found this:
    User/Group Management : Success or Failure
    User/Group Management : No Auditing
    User/Group Management : Success or Failure

    I don't know why i have 2 of the same event (User/Group Management) auditing Success or Failure, and one of the with "No Auditing", what does it means? Is the event being audited or not?

  • #2
    Re: Audit Policies

    What are you using to produce this report, what options, etc?

    Comment


    • #3
      Re: Audit Policies

      Download the current version of DumpSec, which should be 2.8.6. I think this is a bug caused by new policies and DumpSec was not originally designed to know what the new policies are.
      Kevin Stanush
      SystemTools Software Inc.

      Comment


      • #4
        Re: Audit Policies

        I have slightly the same problem with reports produced by DumpSec 2.8.6.

        Audit Policies I get with DumpSec are:
        Restart and Shutdown
        Logon and Logoff
        File/Object Access
        Use of User Right
        Process Tracking
        Security Policy Changes
        User/Group Management
        User/Group Management
        User/Group Management

        On the other hand, Audit Policies in Windows are:
        Audit account logon events
        Audit account management
        Audit directory service access
        Audit logon events
        Audit object access
        Audit policy change
        Audit privilege use
        Audit process tracking
        Audit system events

        How do the two match? I was able to work out the followings:
        Use of User Right = Audit privilege use
        Process Tracking = Audit process tracking
        File/Object Access = Audit object access
        but I'm quite confused about the others.

        Can you advise plese?

        Comment


        • #5
          Re: Audit Policies

          I've realised that the reports were actually made with DumpSec 2.8.1'h' - "User/Group Management" isn't tripled in 2.8.6. Still the naming scheme differs from what Windows uses, but after a "brainstorming" I believe the mapping is the following:

          Windows = Dumpsec 2.8.6 = Dumpsec older version
          Account logon events = Privileged Account Logon = User/Group Management3
          Account management = User/Group Management = User/Group Management1
          Directory service access = Directory Service Access = User/Group Management2
          Logon events = Logon and Logoff = Logon and Logoff
          Object access = File/Object Access = File/Object Access
          Policy changes = Security Policy Changes = Security Policy Changes
          Privilege use = Use of User Right = Use of User Right
          Process tracking = Process Tracking =Process Tracking
          System events = Restart and Shutdown = Restart and Shutdown

          Let me know if I'm wrong

          Comment


          • #6
            Re: Audit Policies

            These values come from a Windows structure named POLICY_AUDIT_EVENT_TYPE, which is documented here:
            http://msdn.microsoft.com/en-us/library/ms721903.aspx

            The Windows to DumpSec mapping is as follows:

            AuditCategoryLogon = "Logon and Logoff"
            AuditCategoryObjectAccess = "File/Object Access"
            AuditCategoryPrivilegeUse = "Use of User Right"
            AuditCategoryAccountManagement = "User/Group Management"
            AuditCategoryPolicyChange = "Security Policy Changes"
            AuditCategorySystem "Restart and Shutdown"
            AuditCategoryDetailedTracking = "Process Tracking"
            AuditCategoryDirectoryServiceAccess = "Directory Service Access"
            AuditCategoryAccountLogon = "Privileged Account Logon"
            Kevin Stanush
            SystemTools Software Inc.

            Comment

            Working...
            X