Audit status of Categories instead of subcategories

FabioCastaneda · March 6, 2019, 8:40pm

Hi, I´m new on BigFix, so I have some basic questions. The first one is that I have read that by using the audit policy information inspector I can get the audit policy for a given subcategory. However, I don´t find how to do the same for the Categories: System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking, Policy Change, Account Management, DS Access, Account Logon.
However they are configurable via gpedit for instance, in Windows Settings \ Security Settings \ Local Policies \ Audit Policy

For instance I can do this to get information about the File System subcategory:

audit failure of system policy of subcategories whose (name of it is “File System”) of categories of audit policy

I don´t find the inspector to do the same for Categories.

Could you please help me how could I do this? Thank you in advance…

Regards,
Fabio Castañeda

JasonWalker · March 7, 2019, 2:14am

This seemed a nice puzzle and a good learning point on “Introspectors”, or getting the Relevance language to inspect itself.

I’d start by listing all of the Properties that have “audit” in the name

q: properties whose (it as string contains "audit")
A: audit success of <access control entry>: boolean
A: audit failure of <access control entry>: boolean
A: audit policy: audit policy
A: categories of <audit policy>: audit policy category
A: system category of <audit policy>: audit policy category
A: logon logoff category of <audit policy>: audit policy category
A: object access category of <audit policy>: audit policy category
A: privilege use category of <audit policy>: audit policy category
A: detailed tracking category of <audit policy>: audit policy category
A: policy change category of <audit policy>: audit policy category
A: account management category of <audit policy>: audit policy category
A: ds access category of <audit policy>: audit policy category
A: account logon category of <audit policy>: audit policy category
A: name of <audit policy category>: string
A: subcategories of <audit policy category>: audit policy subcategory
A: name of <audit policy subcategory>: string
A: system policy of <audit policy subcategory>: audit policy information
A: per user policy <security account> of <audit policy subcategory>: audit policy information
A: effective policy <security account> of <audit policy subcategory>: audit policy information
A: guid of <audit policy subcategory>: string
A: audit failure of <audit policy information>: boolean
A: audit success of <audit policy information>: boolean
A: guid of <audit policy information>: string
A: audit success event log event type: event log event type
A: audit failure event log event type: event log event type
A: audit level of <local mssql database>: integer
T: 8.419 ms
I: plural property

From this, “audit policy” looks promising (and you came across it already), so I’ll describe it further by listing its properties

q: properties of type "audit policy"
A: categories of <audit policy>: audit policy category
A: system category of <audit policy>: audit policy category
A: logon logoff category of <audit policy>: audit policy category
A: object access category of <audit policy>: audit policy category
A: privilege use category of <audit policy>: audit policy category
A: detailed tracking category of <audit policy>: audit policy category
A: policy change category of <audit policy>: audit policy category
A: account management category of <audit policy>: audit policy category
A: ds access category of <audit policy>: audit policy category
A: account logon category of <audit policy>: audit policy category
T: 0.203 ms
I: plural property

So basically it only has properties of type “audit policy category”. So I’ll dig a little more to see what an “audit policy category” type can yield

q: properties of type "audit policy category"
A: name of <audit policy category>: string
A: subcategories of <audit policy category>: audit policy subcategory
T: 0.169 ms
I: plural property

So it looks like each category can have a Name and some number of Subcategories. What then does an “audit policy subcategory” yield ?

q: properties of type "audit policy subcategory"
A: name of : string
A: system policy of : audit policy information
A: per user policy of : audit policy information
A: effective policy of : audit policy information
A: guid of : string
T: 0.217 ms
I: plural property

Looks like an “audit policy subcategory” can have a name, a system policy, a per user policy, an effective policy, and a guid (and I’ll be the guid is useful when looking at an audit.csv file in the policy filesystem structure). The “audit policy information” looks like a complex type so I’ll retrieve it as well…

q: properties of type "audit policy information"
A: audit failure of <audit policy information>: boolean
A: audit success of <audit policy information>: boolean
A: guid of <audit policy information>: string
T: 0.176 ms
I: plural property

Ok, at this point everything is a boolean or string. And we have this relationship where there are audit success / audit failures of (system policy / per user policy / effective policy) of audit policy subcategories of audit policy categories of the audit policy. We can build a query to retrieve all of them. Here’s mine for retrieving the “system policy” of all of the them…

q: (names of it, (names of it, (audit success of it, audit failure of it) of system policies of it)of subcategories of it) of categories of audit policy
A: System, ( Security State Change, ( True, False ) )
A: System, ( Security System Extension, ( False, False ) )
A: System, ( System Integrity, ( True, True ) )
A: System, ( IPsec Driver, ( False, False ) )
A: System, ( Other System Events, ( True, True ) )
A: Logon/Logoff, ( Logon, ( True, False ) )
A: Logon/Logoff, ( Logoff, ( True, False ) )
A: Logon/Logoff, ( Account Lockout, ( True, False ) )
A: Logon/Logoff, ( IPsec Main Mode, ( False, False ) )
A: Logon/Logoff, ( IPsec Quick Mode, ( False, False ) )
A: Logon/Logoff, ( IPsec Extended Mode, ( False, False ) )
A: Logon/Logoff, ( Special Logon, ( True, False ) )
A: Logon/Logoff, ( Other Logon/Logoff Events, ( False, False ) )
A: Logon/Logoff, ( Network Policy Server, ( True, True ) )
A: Logon/Logoff, ( User / Device Claims, ( False, False ) )
A: Logon/Logoff, ( Group Membership, ( False, False ) )
A: Object Access, ( File System, ( False, False ) )
A: Object Access, ( Registry, ( False, False ) )
A: Object Access, ( Kernel Object, ( False, False ) )
A: Object Access, ( SAM, ( False, False ) )
A: Object Access, ( Certification Services, ( False, False ) )
A: Object Access, ( Application Generated, ( False, False ) )
A: Object Access, ( Handle Manipulation, ( False, False ) )
A: Object Access, ( File Share, ( False, False ) )
A: Object Access, ( Filtering Platform Packet Drop, ( False, False ) )
A: Object Access, ( Filtering Platform Connection, ( False, False ) )
A: Object Access, ( Other Object Access Events, ( False, False ) )
A: Object Access, ( Detailed File Share, ( False, False ) )
A: Object Access, ( Removable Storage, ( False, False ) )
A: Object Access, ( Central Policy Staging, ( False, False ) )
A: Privilege Use, ( Sensitive Privilege Use, ( False, False ) )
A: Privilege Use, ( Non Sensitive Privilege Use, ( False, False ) )
A: Privilege Use, ( Other Privilege Use Events, ( False, False ) )
A: Detailed Tracking, ( Process Creation, ( False, False ) )
A: Detailed Tracking, ( Process Termination, ( False, False ) )
A: Detailed Tracking, ( DPAPI Activity, ( False, False ) )
A: Detailed Tracking, ( RPC Events, ( False, False ) )
A: Detailed Tracking, ( Plug and Play Events, ( False, False ) )
A: Detailed Tracking, ( Token Right Adjusted Events, ( False, False ) )
A: Policy Change, ( Audit Policy Change, ( True, False ) )
A: Policy Change, ( Authentication Policy Change, ( True, False ) )
A: Policy Change, ( Authorization Policy Change, ( False, False ) )
A: Policy Change, ( MPSSVC Rule-Level Policy Change, ( False, False ) )
A: Policy Change, ( Filtering Platform Policy Change, ( False, False ) )
A: Policy Change, ( Other Policy Change Events, ( False, False ) )
A: Account Management, ( User Account Management, ( True, False ) )
A: Account Management, ( Computer Account Management, ( False, False ) )
A: Account Management, ( Security Group Management, ( True, False ) )
A: Account Management, ( Distribution Group Management, ( False, False ) )
A: Account Management, ( Application Group Management, ( False, False ) )
A: Account Management, ( Other Account Management Events, ( False, False ) )
A: DS Access, ( Directory Service Access, ( False, False ) )
A: DS Access, ( Directory Service Changes, ( False, False ) )
A: DS Access, ( Directory Service Replication, ( False, False ) )
A: DS Access, ( Detailed Directory Service Replication, ( False, False ) )
A: Account Logon, ( Credential Validation, ( False, False ) )
A: Account Logon, ( Kerberos Service Ticket Operations, ( False, False ) )
A: Account Logon, ( Other Account Logon Events, ( False, False ) )
A: Account Logon, ( Kerberos Authentication Service, ( False, False ) )

That’s good, and looks like it describes Advanced Audit Policy. But this only shows the Advanced Audit Policies, not the items you’d find at Windows Settings \ Security Settings \ Local Policies \ Audit Policy.
Once Advanced Audit Policies are configured, the legacy audit settings in that area no longer have an effect, they’re just in the GPEdit console to support legacy systems; and since Advanced Audit Policy has been available since Vista, I don’t expect the legacy audit settings to be useful anymore.

That said, I think the BESClient has (or did have) a way to retrieve those settings. I’ll check my console tomorrow and hopefully have an answer.