Hello Everyone,
Hope you are doing well!
Does anyone has the experience to create relevance and action to check and change the security setting on each local group policy? for example because the “Audit logon events” is No auditing then from bigfix can change to Success,Failure
You will need to create your own local policy to import, then use Bigfix to distribute this and use secpol to apply it.
There are previous posts for examples of calling secpol in an action.
Hi @davinardian ,
To pull back the setting, I believe these are stored in the PolAdtEv registry key on the machine. This is a binary value store and the setting is a hexadecimal value at a specific index within the value.
Using the following relevance, substituting the word OFFSET with how many bytes precede the value you are interested in, should give you the set value:
item 1 of (("00", "No auditing");("01", "Success");("02", "Failure");("03", "Success and Failure")) whose (item 0 of it = (parenthesized part 2 of matches (regex "^([0-9a-fA-F]{2}){OFFSET}([0-9a-fA-F]{2})") of (default value of it as string) of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry) | "00") | "Unknown"
To set the value to “Success and Failure” using actionscript, you can use the following:
waithidden C:\Windows\System32\auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
I don’t know the specific offset to use for this particular audit setting so you will need to discover it yourself. Basically run the following relevance in the fixlet debugger under client context (you must be using System to read this key) and save the result:
default value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry
Next run the auditpol.exe command and change the value:
C:\Windows\System32\auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
Now re-run the relevance query to pull the values again:
default value of key "HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAdtEv" of native registry
Now just compare the 2 results, counting in chunks of 2 until you reach where the value has changed from a 00 to 03. The number of chunks you counted is your byte offset.
For example (not the actual value):
000100000900000084000000000001000300…
000100000900000084000000030001000300…The change from 00 to 03 occured at offset 12
Hope this helps!
Hi Mike,
thank you for the advice, the relevance is working but the actionscript is not working (the security setting value does not change). any other suggestions?
64-bit OS?
Have you disabled redirection?
Hi Trevor,
thank you for your reply, yes 64-bit OS.
what do you mean by disabled redirection?
The Bigfix agent is 32-bit, so by default your reference to ‘C:\Windows\System32\auditpol.exe’ will actually call ‘C:\Windows\SysWOW64\auditpol.exe’ and update the 32-bit registry and policy.
@davinardian try this:
action uses wow64 redirection {not x64 of operating system}
waithidden C:\Windows\System32\auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
The only other thing I can think of is the machine might be using the legacy policy model and not the newer advanced policy model. If that is the case then the setting I believe is stored elsewhere in the registry. I don’t have a machine I can play with at the moment but if the above doesn’t work I’ll try to find one.
Advanced Audit Policy might also be overridden by any Domain-level GPO.
Use
gpresult /h c:\temp\gpreport.htm
to generate a Group Policy Report on the endpoint, and review that to see whether there are any Domain-level audit policy configuration overriding your local settings.
Also check the policy to enforce ‘subcategory audit’ settings in this screenshot below:
It should be set to “Enabled” (the default), otherwise a Domain-level GPO that applies the legacy “Audit Policies” would be in effect rather than the newer “Advanced Audit Policy” with subcategories. This is the setting @Mike is referencing.
Hi @JasonWalker
thank you for the advice, already set to enabled on this
I also check the gpreport, here is the report
but the actionscript that was shared by @Mike still not working
