4.008 - Auditing must be configured as required. - 'Privilege Use -> Sensitive Privilege Use'

Information

Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior.

Solution

Configure the system to audit subcategories as outlined below.

Open a Command Prompt with elevated privileges. (Run as administrator).
Execute the following command for each subcategory.
Auditpol /set /subcategory-'subcategory name' /success-enable(disable) /failure-enable(disable)
(Include the quotes around the subcategory name).

System
Security System Extension - Success and Failure
System Integrity - Success and Failure
IPSec Driver - Success and Failure
Security State Change - Success and Failure

Logon/Logoff
Logon - Success and Failure
Logoff - Success
Special Logon - Success

Privilege Use
Sensitive Privilege Use - Success and Failure

Detailed Tracking
Process Creation - Success

Policy Change
Audit Policy Change - Success and Failure
Authentication Policy Change - Success

Account Management
User Account Management - Success and Failure
Computer Account Management - Success and Failure
Security Group Management - Success and Failure
Other Account Management Events - Success and Failure

Account Logon
Credential Validation - Success and Failure

See Also

http://iasecontent.disa.mil/stigs/zip/Oct2016/U_Windows_Vista_V6R41_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-16966r3_rule, STIG-ID|4.008, Vuln-ID|V-6850

Plugin: Windows

Control ID: 3cf334c236e7941c5b05a714770fee2f569f05c12de613015f64fc8f2caeb444