Registry key auditing configuration does not meet minimum requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-1088 | 3.010 | SV-29630r2_rule | ECAR-3 | Medium |
| Description |
|---|
| Improper modification of the Registry can render a system useless. Modifications to the Registry can have a significant impact on the security configuration of the system. Auditing of significant modifications made to the Registry provides a method of determining the responsible party. |
| STIG | Date |
|---|---|
| Windows Vista Security Technical Implementation Guide | 2013-10-01 |
Details
| Check Text ( C-41199r1_chk ) |
|---|
| Verify system level auditing of object access is properly configured (see V-6850 “Object access - Registry”). If this is not configured to audit “Failure”, this requirement is a finding. Verify detailed registry auditing is configured. Run “Regedit”. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys. On the menu bar, select “Edit” then “Permissions”. Click on the “Advanced” button. Select the “Auditing” tab. Verify the following is configured: Type - Fail Name - Everyone Access - Full Control Apply to - This key and subkeys If the “Everyone” group, at a minimum is not being audited for all failures, this is a finding. |
| Fix Text (F-28953r1_fix) |
|---|
| Configure the HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM keys to audit the Everyone Group for all failures. Audit settings should be propagated to subkeys. |