I need to meet government security requirements in order to ship my product. Here is specific requirement I am trying to meet:
Group ID (Vulid): V-1080 Group
Title: File Auditing Configuration
Rule ID: SV-29471r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2.007
Rule Title: File-auditing configuration does not meet minimum
requirements.Vulnerability Discussion: Improper modification of the core system
files can render a system inoperable. Further, modifications to these
system files can have a significant impact on the security
configuration of the system. Auditing of significant modifications
made to the system files provides a method of determining the
responsible party.False Positives: Automated checking sometimes reports this as a false
finding. If a manual review of a questionable finding shows auditing
to be set correctly, then this would not be a finding.Responsibility: System Administrator IAControls: ECAR-1, ECAR-2,
ECAR-3Check Content: If system-level auditing is not enabled, or if the
system and data partitions are not installed on NTFS partitions, then
mark this as a finding.Open Windows Explorer and use the file and folder properties function
to verify that the audit settings on each partition/drive is
configured to audit all "failures" for the "Everyone" group.If any partition/drive is not configured to at least the minimum
requirement, then this is a finding.Fix Text: Configure auditing on each partition/drive to audit all
"Failures" for the "Everyone" group.
I need to log Windows Vista file access failures using Windows file auditing for the entire local disk (C:). With a fresh install of Windows Vista Business SP2, I log in as a local admin. In Windows Explorer I select C:, Properties, Advanced, Auditing, Continue, Continue. Add an auditing entry for Everyone. Apply to 'This folder, subfolders and files'. Check 'Full Control' for Failed. Leave 'Apply these auditing entries to objects and/or containers within this container only' unchecked. OK, Apply.
After I click Apply, I get tens of 'Access is denied' error messages for various OS-related folders and files.
An error occurred while applying security information to:
File path
Access is denied.
or
An error occurred while applying security information to:
File path
The process cannot access the file because it is being used by another
process.
I tried taking Ownership of C:, but I got errors when I tried to do that too. Is there a simple way to enable full Auditing for C: for Everyone either via batch script or via the Windows GUI without getting tens of error messages for OS controlled files and folders? If there is something that triggers 'Access is denied' can I just skip it rather than having to click 'OK' on an error popup?
Best Answer
I, and probably all system admins, will steer you away from using Auditing on a whole drive, especially a working drive. This just has the potential to bring your system into a standstill due to the sheer amount of auditing alone.
And the Everyone group isn't what you think it is. This isn't the correct group you want to audit if you are looking for logged in, physical humans. . .
Keep in mind, a LOT of reads and writes fail. This is because this is a cheap and fast way to find out if a file exist. If you try to create a file, most, if not all, programs will try to open a file by that name. If it exists, Windows will return a files and the program just spits an error: "File exists." This is a lot faster than going through the directory listing and checking to see if the filename is already used.
Again, keep in mind the burden is on the auditing engine here. The file system is going to act like normal, but the auditing engine has to basically keep up. Every time a handle is opened and closed, the auditing engine has to check if it was due to a NTFS failure. Considering the sheer amount of handles that are created not just by the OS, but by just running a normal program, this has the likely potential to bring your OS to a stand still.
The error message explains it all. The file is being used by another program, or possibly the OS. Trying to modify the file while the OS is using it has the potential to crash the OS.
In general, when someone has gone through the effort to block even you, the owner of your system, access to the file, it is usually for a reason.
So the question is. . . What are you trying to do?
It would help us a lot if you explain exactly what you are planning to do. What is your goal? Are you trying to track logged in user's activities? This is probably the worst way to do it. Are you trying to track rogue programs? Again this is not the way you want to do this.
Edit
Now that I've read the ridiculous requirements and we got moved over to ServerFault, hopeful we can find someone who's dealt with this crap.