An error occurred:

Check: WN10-AU-000585

Microsoft Windows 10 STIG: WN10-AU-000585 (in version v2 r8)

Title

Windows 10 must have command line process auditing events enabled for failures. (Cat II impact)

Discussion

When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

Check Content

Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure". If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text

Go to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".

Additional Identifiers

Rule ID: SV-257589r930680_rule

Vulnerability ID: V-257589

Group Title: SRG-OS-000037-GPOS-00015

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002234

Log the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6(9)

Auditing Use of Privileged Functions