Tweet
I am attempting to determine applied audit policy any machine. As I understand Hyena has two methods:
(1) Right click the object and choose "audit policy" and you are shown a windown listing the eight policies alongside the success/failure checkboxes. This shows:
Logon and Logoff
File and Object Access
Use of User Rights
User and Group Management
Security Policy Changes
Restart, Shutdown and System
Process Tracking
Privileged Logons (Kerberos)
Directory Service Access
(2) select the object and use Exporter Pro's "Account/Audit Policies" pull. Which results in pulling the following values (NOTE: LogonSuccess and LogonFailure are listed twice!):
SystemSuccess and SystemFailure
LogonSuccess and LogonFailure
ObjAccessSuccess and ObjAccessFailure
PrivUseSuccess and PrivUseFailure
TrackingSuccess and TrackingFailure
ChangeSuccess and ChangeFailure
AcctMgtSuccess and AcctMgtFailure
DirAccessSuccess and DirAccessFailure
LogonSuccess and LogonFailure
As you can see, the above methods do not match up, anyone else come across this and have an explanation?
Of course if you try MS's MMC snap-in for looking at the GPO, you come across yet a third set of values:
(3) From the MMC GPO snap-in:
Account Logon Events
Account Management
Directory Service Access
Logon Events
Object Access
Policy Change
Privilege Use
process tracking
System Events
Any help here to match/matrix these varying values is appreciated.
(1) Right click the object and choose "audit policy" and you are shown a windown listing the eight policies alongside the success/failure checkboxes. This shows:
Logon and Logoff
File and Object Access
Use of User Rights
User and Group Management
Security Policy Changes
Restart, Shutdown and System
Process Tracking
Privileged Logons (Kerberos)
Directory Service Access
(2) select the object and use Exporter Pro's "Account/Audit Policies" pull. Which results in pulling the following values (NOTE: LogonSuccess and LogonFailure are listed twice!):
SystemSuccess and SystemFailure
LogonSuccess and LogonFailure
ObjAccessSuccess and ObjAccessFailure
PrivUseSuccess and PrivUseFailure
TrackingSuccess and TrackingFailure
ChangeSuccess and ChangeFailure
AcctMgtSuccess and AcctMgtFailure
DirAccessSuccess and DirAccessFailure
LogonSuccess and LogonFailure
As you can see, the above methods do not match up, anyone else come across this and have an explanation?
Of course if you try MS's MMC snap-in for looking at the GPO, you come across yet a third set of values:
(3) From the MMC GPO snap-in:
Account Logon Events
Account Management
Directory Service Access
Logon Events
Object Access
Policy Change
Privilege Use
process tracking
System Events
Any help here to match/matrix these varying values is appreciated.
Comment