New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIN8/WIN2012 audit subcategories in OVAL 5.11 #136
Comments
Thanks for adding this issue Blake! I added the tracker to 5.11. |
After another pass of the originally posted list it appears the following audit subcategories do not have an existing state in OVAL. Anything in the original list that does not appear here does have an existing OVAL state:
|
It may be best to update the OVAL schema and docs such that they map states to their corresponding GUID from NTSecApi.h. |
Mapping the entites to their corresponding GUIDs makes sense to me. |
+ added ntsecapi.h guid and gpo ui path information to documentation of each audit subcategory. + added logon_claims to auditeventpolicysubcategories_state + added removable_storage to auditeventpolicysubcategories_state + added central_access_policy_staging to auditeventpolicysubcategories_state
In mapping the children of In gpedit, under "Account Logon", there are four audit subcategories defined:
In
In
The pull request has them mapped as follows:
How are other implementations mapping these? |
Our interpretation was that KERBEROS_TICKET_EVENTS has no mapping to a GUID -- you'll never get it. I'll deprecate it in 5.11.2. Edit: Actually it appears it was already deprecated in 5.11! For 5.11.2, I will add the following subcategory entities: |
Also, I think there is one additional GUID introduced in Windows 10 1607: |
I actually added that one already; it's audit_detailedtracking_tokenrightadjusted.
|
Windows 8 and Windows 2012 introduce new audit subcategories that do not appear to be captured in the OVAL 5.11 release planning:
http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/windows-definitions-schema.html#auditeventpolicysubcategories_test
I've pulled all audit sub categories out of NTSecAPI.h in the Win 8 SDK and performed a diff against a prior version. The following items appear to be the new ones that may be good to get into OVAL 5.11. Double checking the diff would not hurt.
Please let me know if I've missed something.
Blake
"{0CCE9237-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_SecurityGroup_defined",
"{0CCE9238-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_DistributionGroup_defined",
"{0CCE9239-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_ApplicationGroup_defined",
"{0CCE923A-69AE-11D9-BED3-505054503030}": "Audit_AccountManagement_Others_defined",
"{0CCE923B-69AE-11D9-BED3-505054503030}": "Audit_DSAccess_DSAccess_defined",
"{0CCE923C-69AE-11D9-BED3-505054503030}": "Audit_DsAccess_AdAuditChanges_defined",
"{0CCE923D-69AE-11D9-BED3-505054503030}": "Audit_Ds_Replication_defined",
"{0CCE923E-69AE-11D9-BED3-505054503030}": "Audit_Ds_DetailedReplication_defined",
"{0CCE923F-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_CredentialValidation_defined",
"{0CCE9240-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_Kerberos_defined",
"{0CCE9241-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_Others_defined",
"{0CCE9242-69AE-11D9-BED3-505054503030}": "Audit_AccountLogon_KerbCredentialValidation_defined",
"{0CCE9243-69AE-11D9-BED3-505054503030}": "Audit_Logon_NPS_defined",
"{0CCE9245-69AE-11D9-BED3-505054503030}": "Audit_ObjectAccess_RemovableStorage_defined",
"{0CCE9246-69AE-11D9-BED3-505054503030}": "Audit_ObjectAccess_CbacStaging_defined",
"{0CCE9247-69AE-11D9-BED3-505054503030}": "Audit_Logon_Claims_defined",
The text was updated successfully, but these errors were encountered: