Audit System Integrity

Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.

Activities that violate the integrity of the security subsystem include the following:

  • Audited events are lost due to a failure of the auditing system.

  • A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.

  • A remote procedure call (RPC) integrity violation is detected.

  • A code integrity violation with an invalid hash value of an executable file is detected.

  • Cryptographic tasks are performed.

Violations of security subsystem integrity are critical and could indicate a potential security attack.

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes Yes Yes Yes The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “4618(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get Code Integrity failure events.
Member Server Yes Yes Yes Yes The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “4618(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get Code Integrity failure events.
Workstation Yes Yes Yes Yes The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “4618(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get Code Integrity failure events.

Events List:

  • 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

  • 4615(S): Invalid use of LPC port.

  • 4618(S): A monitored security event pattern has occurred.

  • 4816(S): RPC detected an integrity violation while decrypting an incoming message.

  • 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

  • 5056(S): A cryptographic self-test was performed.

  • 5062(S): A kernel-mode cryptographic self-test was performed.

  • 5057(F): A cryptographic primitive operation failed.

  • 5060(F): Verification operation failed.

  • 5061(S, F): Cryptographic operation.

  • 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

  • 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.