Check: WN11-AU-000585
Microsoft Windows 11 STIG:
WN11-AU-000585
(in version v1 r6)
Title
Windows 11 must have command line process auditing events enabled for failures. (Cat II impact)
Discussion
When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.
Check Content
Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation. If "Audit Process Creation" is not set to "Failure", this is a finding.
Fix Text
Go to Computer Configuration >> Windows Settings >>Security Settings>> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".
Additional Identifiers
Rule ID: SV-257770r956042_rule
Vulnerability ID: V-257770
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002234 |
The information system audits the execution of privileged functions. |
Controls
Number | Title |
---|---|
AC-6 (9) |
Auditing Use Of Privileged Functions |