No announcement yet.

Audit Policy Mismatch / Confusion

  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit Policy Mismatch / Confusion

    I am attempting to determine applied audit policy any machine. As I understand Hyena has two methods:

    (1) Right click the object and choose "audit policy" and you are shown a windown listing the eight policies alongside the success/failure checkboxes. This shows:
    Logon and Logoff
    File and Object Access
    Use of User Rights
    User and Group Management
    Security Policy Changes
    Restart, Shutdown and System
    Process Tracking
    Privileged Logons (Kerberos)
    Directory Service Access

    (2) select the object and use Exporter Pro's "Account/Audit Policies" pull. Which results in pulling the following values (NOTE: LogonSuccess and LogonFailure are listed twice!):
    SystemSuccess and SystemFailure
    LogonSuccess and LogonFailure
    ObjAccessSuccess and ObjAccessFailure
    PrivUseSuccess and PrivUseFailure
    TrackingSuccess and TrackingFailure
    ChangeSuccess and ChangeFailure
    AcctMgtSuccess and AcctMgtFailure
    DirAccessSuccess and DirAccessFailure
    LogonSuccess and LogonFailure

    As you can see, the above methods do not match up, anyone else come across this and have an explanation?

    Of course if you try MS's MMC snap-in for looking at the GPO, you come across yet a third set of values:

    (3) From the MMC GPO snap-in:
    Account Logon Events
    Account Management
    Directory Service Access
    Logon Events
    Object Access
    Policy Change
    Privilege Use
    process tracking
    System Events

    Any help here to match/matrix these varying values is appreciated.

  • #2
    Re: Audit Policy Mismatch / Confusion

    Sorry for the confusion. Exporter Pro is limited to field names in its GUI, so we tried to follow Microsoft's naming conventions. Here is the correlation:

    Logon and Logoff = LogonSuccess/LogonFailure

    File and Object Access = ObjAccessSuccess and ObjAccessFailure

    Use of User Rights = PrivUseSuccess and PrivUseFailure

    User and Group Management = AcctMgtSuccess and AcctMgtFailure

    Security Policy Changes = ChangeSuccess and ChangeFailure

    Restart, Shutdown and System = SystemSuccess and SystemFailure

    Process Tracking = TrackingSuccess and TrackingFailure

    Privileged Logons (Kerberos) = (see below)

    Directory Service Access = DirAccessSuccess and DirAccessFailure

    The Kerberos logons is the one that shows the duplicate entry (the last one) for LogonSuccess. I'll get a fix in the works for that right away; thanks for catching this.

    The Microsoft documentation for these settings is here:

    The descriptions are not much better, but might provide a better understanding of the events.

    I can't say for sure what the naming convention used by MMC is but a process of elimination can be used on most of them. The only one I'm not sure about is the Account Logon vs. Logon.
    Kevin Stanush
    SystemTools Software Inc.


    • #3
      Re: Audit Policy Mismatch / Confusion

      THANK YOU, I appreciate your prompt response and getting a fix in the works. Here is my "table" of the conventions:

      1 Account Logon Events
      2 Account Management
      3 Directory Service Access
      4 Logon Events
      5 Object Access
      6 Policy Change
      7 Privilege Use
      8 process tracking
      9 System Events

      1 Privileged Logons (Kerberos)
      2 User and Group Management
      3 Directory Service Access
      4 Logon and Logoff
      5 File and Object Access
      6 Security Policy Changes
      7 Use of User Rights
      8 Process Tracking
      9 Restart, Shutdown and System

      HYENA Exporter Pro
      1 LogonSuccess and LogonFailure
      2 AcctMgtSuccess and AcctMgtFailure
      3 DirAccessSuccess and DirAccessFailure
      4 LogonSuccess and LogonFailure (bug?)
      5 ObjAccessSuccess and ObjAccessFailure
      6 ChangeSuccess and ChangeFailure
      7 PrivUseSuccess and PrivUseFailure
      8 TrackingSuccess and TrackingFailure
      9 SystemSuccess and SystemFailure

      HYENA Rocks!