Check: WN10-AU-000585
Microsoft Windows 10 STIG:
WN10-AU-000585
(in versions v3 r2 through v2 r9)
Title
Windows 10 must have command line process auditing events enabled for failures. (Cat II impact)
Discussion
When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.
Check Content
Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation". If "Audit Process Creation" is not set to "Failure", this is a finding.
Fix Text
Go to Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >>System Audit Policies >> Detailed Tracking >> Audit Process Creation is set to "failure".
Additional Identifiers
Rule ID: SV-257589r958412_rule
Vulnerability ID: V-257589
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
Controls
Number | Title |
---|---|
AC-6(9) |
Auditing Use of Privileged Functions |