WIN8/WIN2012 audit subcategories in OVAL 5.11 #136
Comments
|
Thanks for adding this issue Blake! I added the tracker to 5.11. |
|
After another pass of the originally posted list it appears the following audit subcategories do not have an existing state in OVAL. Anything in the original list that does not appear here does have an existing OVAL state:
|
|
It may be best to update the OVAL schema and docs such that they map states to their corresponding GUID from NTSecApi.h. |
|
Mapping the entites to their corresponding GUIDs makes sense to me. |
ghost
assigned 
+ added ntsecapi.h guid and gpo ui path information to documentation of each audit subcategory. + added logon_claims to auditeventpolicysubcategories_state + added removable_storage to auditeventpolicysubcategories_state + added central_access_policy_staging to auditeventpolicysubcategories_state
|
In mapping the children of In gpedit, under "Account Logon", there are four audit subcategories defined:
In
In
The pull request has them mapped as follows:
How are other implementations mapping these? |
|
Our interpretation was that KERBEROS_TICKET_EVENTS has no mapping to a GUID -- you'll never get it. I'll deprecate it in 5.11.2. Edit: Actually it appears it was already deprecated in 5.11! For 5.11.2, I will add the following subcategory entities: |
|
Also, I think there is one additional GUID introduced in Windows 10 1607: |
|
I actually added that one already; it's audit_detailedtracking_tokenrightadjusted. |
Windows 8 and Windows 2012 introduce new audit subcategories that do not appear to be captured in the OVAL 5.11 release planning:
http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/windows-definitions-schema.html#auditeventpolicysubcategories_test
I've pulled all audit sub categories out of NTSecAPI.h in the Win 8 SDK and performed a diff against a prior version. The following items appear to be the new ones that may be good to get into OVAL 5.11. Double checking the diff would not hurt.
Please let me know if I've missed something.
Blake
"{0CCE9237-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_SecurityGroup_defined",
"{0CCE9238-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_DistributionGroup_defined",
"{0CCE9239-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_ApplicationGroup_defined",
"{0CCE923A-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_Others_defined",
"{0CCE923B-69AE-11D9-BED3-505054503030}": "Audit_DSAccess_DSAccess_defined",
"{0CCE923C-69AE-11D9-BED3-505054503030}": "Audit_DsAccess_AdAuditChanges_defined",
"{0CCE923D-69AE-11D9-BED3-505054503030}": "Audit_Ds_Replication_defined",
"{0CCE923E-69AE-11D9-BED3-505054503030}": "Audit_Ds_DetailedReplication_defined",
"{0CCE923F-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_CredentialValidation_defined",
"{0CCE9240-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_Kerberos_defined",
"{0CCE9241-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_Others_defined",
"{0CCE9242-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_KerbCredentialValidation_defined",
"{0CCE9243-69AE-11D9-BED3-505054503030}": "Audit_Logon_NPS_defined",
"{0CCE9245-69AE-11D9-BED3-505054503030}": "Audit_ObjectAccess_RemovableStorage_defined",
"{0CCE9246-69AE-11D9-BED3-505054503030}": "Audit_ObjectAccess_CbacStaging_defined",
"{0CCE9247-69AE-11D9-BED3-505054503030}": "Audit_Logon_Claims_defined",
The text was updated successfully, but these errors were encountered: