Announcement

Collapse
No announcement yet.

Audit Policies

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • kstanush
    replied
    Re: Audit Policies

    These values come from a Windows structure named POLICY_AUDIT_EVENT_TYPE, which is documented here:
    http://msdn.microsoft.com/en-us/library/ms721903.aspx

    The Windows to DumpSec mapping is as follows:

    AuditCategoryLogon = "Logon and Logoff"
    AuditCategoryObjectAccess = "File/Object Access"
    AuditCategoryPrivilegeUse = "Use of User Right"
    AuditCategoryAccountManagement = "User/Group Management"
    AuditCategoryPolicyChange = "Security Policy Changes"
    AuditCategorySystem "Restart and Shutdown"
    AuditCategoryDetailedTracking = "Process Tracking"
    AuditCategoryDirectoryServiceAccess = "Directory Service Access"
    AuditCategoryAccountLogon = "Privileged Account Logon"

    Leave a comment:


  • freshman
    replied
    Re: Audit Policies

    I've realised that the reports were actually made with DumpSec 2.8.1'h' - "User/Group Management" isn't tripled in 2.8.6. Still the naming scheme differs from what Windows uses, but after a "brainstorming" I believe the mapping is the following:

    Windows = Dumpsec 2.8.6 = Dumpsec older version
    Account logon events = Privileged Account Logon = User/Group Management3
    Account management = User/Group Management = User/Group Management1
    Directory service access = Directory Service Access = User/Group Management2
    Logon events = Logon and Logoff = Logon and Logoff
    Object access = File/Object Access = File/Object Access
    Policy changes = Security Policy Changes = Security Policy Changes
    Privilege use = Use of User Right = Use of User Right
    Process tracking = Process Tracking =Process Tracking
    System events = Restart and Shutdown = Restart and Shutdown

    Let me know if I'm wrong

    Leave a comment:


  • freshman
    replied
    Re: Audit Policies

    I have slightly the same problem with reports produced by DumpSec 2.8.6.

    Audit Policies I get with DumpSec are:
    Restart and Shutdown
    Logon and Logoff
    File/Object Access
    Use of User Right
    Process Tracking
    Security Policy Changes
    User/Group Management
    User/Group Management
    User/Group Management

    On the other hand, Audit Policies in Windows are:
    Audit account logon events
    Audit account management
    Audit directory service access
    Audit logon events
    Audit object access
    Audit policy change
    Audit privilege use
    Audit process tracking
    Audit system events

    How do the two match? I was able to work out the followings:
    Use of User Right = Audit privilege use
    Process Tracking = Audit process tracking
    File/Object Access = Audit object access
    but I'm quite confused about the others.

    Can you advise plese?

    Leave a comment:


  • kstanush
    replied
    Re: Audit Policies

    Download the current version of DumpSec, which should be 2.8.6. I think this is a bug caused by new policies and DumpSec was not originally designed to know what the new policies are.

    Leave a comment:


  • cmccullough
    Guest replied
    Re: Audit Policies

    What are you using to produce this report, what options, etc?

    Leave a comment:


  • vlina
    started a topic Audit Policies

    Audit Policies

    I am cheking the audit policies, and i found this:
    User/Group Management : Success or Failure
    User/Group Management : No Auditing
    User/Group Management : Success or Failure

    I don't know why i have 2 of the same event (User/Group Management) auditing Success or Failure, and one of the with "No Auditing", what does it means? Is the event being audited or not?
Working...
X