CCE-99742-9Platform: cpe:/o:microsoft:windows_server_2019 | Date: (C)2022-07-28 (M)2023-07-04 |
This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include:
? 4715: The audit policy (SACL) on an object was changed.
? 4719: System audit policy was changed.
? 4902: The Per-user audit policy table was created.
? 4904: An attempt was made to register a security event source.
? 4905: An attempt was made to unregister a security event source.
? 4906: The CrashOnAuditFail value has changed.
? 4907: Auditing settings on object were changed.
? 4908: Special Groups Logon table modified.
? 4912: Per User Audit Policy was changed.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.
Parameter:
[success/failure/success_failure/none]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change!Audit Policy: Policy Change: Audit Policy Change
(2) REG: NO REGISTRY INFO
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.3 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: LOW |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:82046 |