It’s been a long time since new C3 content landed and I’m pleased to announce the availability of C3 Windows Audit Policy – A collection of free BigFix content for configuring, managing and monitoring Windows Audit Policy settings at scale.
This is one of our biggest releases ever with more than 242 Fixlets and 18 Analyses. This content lets you configure every nook and cranny of the Windows Advanced Audit Configuration, includes helpful warning indicators for incorrect configuration, helps track event volume from audit messages, and includes content for simplifying and tracking Audit Policy compliance to STIG baselines.
Fixlet Content
The Fixlet content is available under “Releases” on the C3 Windows Audit Policy Github repository. Direct link to the latest release here.
Audit Policies
Fixlets for enabling/disabling success and failure audit policies are the bulk of the content in the site:
- Config - Audit Policy - Disable failure auditing for Detailed Tracking / Process Creation - Windows
- Config - Audit Policy - Enable failure auditing for Detailed Tracking / Process Creation - Windows
- Config - Audit Policy - Disable success auditing for Detailed Tracking / Process Creation - Windows
- Config - Audit Policy - Enable success auditing for Detailed Tracking / Process Creation - Windows
Helper Fixlets
Various “helper” Fixlets are available including Fixlets that warn about various unintended combinations of settings as well as Fixlets to fully reset the Audit Policy.
Audit Policy Analyses
For every audit policy category there is an analysis with a batch of properties properties. This analysis includes properties for the state of every individual single audit policy setting.
- Audit Policy - Account Logon - Windows
- Audit Policy - Account Logon - Windows
- Audit Policy - Account Management - Windows
- Audit Policy - Detailed Tracking - Windows
- Audit Policy - DS Access - Windows
- Audit Policy - Logon/Logoff - Windows
- Audit Policy - Object Access - Windows
- Audit Policy - Policy Change - Windows
- Audit Policy - Privilege Use - Windows
- Audit Policy - System - Windows
Event Log Volume
In addition, I’ve included an analysis that calculates the Event rate for various Windows event logs. This tells you the Events per Day, Hour, Minute, and Second for each machine in your environment and can be used to help tune audit policy settings and to identify machines logging at abnormally high or low rates.
STIG Baselines
Also included are analyses for tracking audit policy compliance to settings recommended by STIG baselines.
- STIG - Windows 10 Audit Policy - Windows
- STIG - Windows 11 Audit Policy - Windows
- STIG - Windows Server 2012 Audit Policy - Windows
- STIG - Windows Server 2012r2 Audit Policy - Windows
- STIG - Windows Server 2016 Audit Policy - Windows
- STIG - Windows Server 2019 Audit Policy - Windows
- STIG - Windows Server 2022 Audit Policy - Windows
These analyses include properties for:
- Audit Policy Compliance providing a percentage score that describes the percentage of STIG-required audit policies that are currently applied to this system.
- Missing Audit Policies providing the list of the STIG-required audit policies that are currently missing from the system.
- Compliant Audit Policies providing the list of the STIG-required audit policies that are currently active on the system.
- Extra Audit Policies providing the list of audit policies that are applied to the system but not required by the STIG baseline for this Operating System.
Source
Most of these Fixlets and Analyses are generated using a custom Powershell Core Fixlet generator – the source code for the generator is available on Github
Support
The Fixlets are only as good as the community helps make them – if you’ve got relevance or actionscript suggestions or if you run into issues let me know!