APPNET0067 - Event tracing for Windows (ETW) for Common Language Runtime events must be enabled - machine

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Event tracing captures information about applications utilizing the .NET CLR and the .NET CLR itself. This includes security oriented information, such as Strong Name and Authenticode verification.

Beginning with Windows Vista, ETW is enabled by default however, the .Net CLR and .Net applications can be configured to not utilize Event Tracing. If ETW event tracing is disabled, critical events that occurred within the runtime will not be captured in event logs.

Solution

Open Windows explorer and search for all .NET config files including application config files (*.exe.config).

Examine the configuration settings for
<etwEnable enabled='false' />.

Enable ETW Tracing by setting the etwEnable flag to 'true' or obtain documented IAO approvals.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CAT|II, CCI|CCI-000130, Rule-ID|SV-225235r615940_rule, STIG-ID|APPNET0067, STIG-Legacy|SV-41075, STIG-Legacy|V-31026, Vuln-ID|V-225235

Plugin: Windows

Control ID: 89f35db08586b387bec5757e029aafd310b8e34afbe5400680e1011ee6e453d8