Title

File-auditing configuration does not meet minimum requirements. (Cat II impact)

Discussion

Improper modification of the core system files can render a system inoperable. Further, modifications to these system files can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the system files provides a method of determining the responsible party.

Check Content

If system-level auditing is not enabled, or if the system and data partitions are not installed on NTFS partitions, then mark this as a finding. Open Windows Explorer and use the file and folder properties function to verify that the audit settings on each partition/drive is configured to audit all "failures" for the "Everyone" group. If any partition/drive is not configured to at least the minimum requirement, then this is a finding.

Fix Text

Configure auditing on each partition/drive to audit all "Failures" for the "Everyone" group.

Additional Identifiers

Rule ID: SV-29471r1_rule

Vulnerability ID: V-1080

Group Title: File Auditing Configuration

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.