Appendix B - Audit Categories and Events

  • Article

Security Target Compliance Matrix for Audit

Component

Event

Audit Event

Required Setting
     

S

F

FAU_GEN.1

Start-up and Shutdown of the audit functions

Category: Policy change

612 – Audit policy change.

(The event is generated whenever audit is enabled or disabled for any of the audit categories. A list of audit changes is displayed in the event log.)

  

check

  

FAU_GEN.2

None

      

FAU_SAR.1

Reading of information from the audit records

Category: Privilege use

578 – Privileged object operation.

(Accessing the Security Event Log. Success should result for SeSecurityPrivilege.)

  

check

  

FAU_SAR.2

Unsuccessful attempts to read information from the audit records

Category: Privilege use

578 – Privileged object operation.

(Failure should result for SeSecurityPrivilege.)

    

check

FAU_SAR.3

None

      

FAU_SEL.1

All modifications to the audit configuration that occur while the audit collection functions are operating

Category: Policy change

612 – Audit policy change.

(A list of audit changes is displayed in the event log.)

  

check

  

FAU_STG.1

None

      

FAU_STG.3

Actions taken due to exceeding of a threshold

Category: System

516 – Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

517 – The audit log was cleared.

(Review action taken by an authorized administrator to clear the event logs in response to the system exceeding a predefined audit threshold.)

523 – The audit log is "x" percent full

Note: the above event is generated only with SP3 (key value must set to the percentage the administrator wants the audit record to be cut upon. (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\Eventlog\Security\WarningLevel)

  

check

  

FAU_STG.4

Actions taken due to the audit storage failure

517 – The audit log was cleared.

(Review action taken by an authorized administrator to clear the event logs in response to the system exceeding a predefined audit threshold.)

    

FDP_ACC.1(a)

None

      

FDP_ACF.1(a)

All requests to perform an operation on an object covered by the SFP

Category: Object access

563 – Object open for delete.

564 – Object deleted.

565 – Object open.

566 – Object operation.

Category: Process tracking

594 – A handle to an object has been duplicated.

595 – Indirect access to an object has been obtained.

  

check

  

check

FDP_RIP.2

None

      

FDP_RIP.2.

Note 1

None

      

FIA_ATD.1

None

      

FIA_SOS.1

Rejection or acceptance by the TSF of any tested secret

Category: Logon

528 – Successful logon.

529 – Logon failure: Unknown user name or bad password.

535 – Logon failure: The specified account's password has expired.

540 – Successful network logon.

545 – IPSec peer authentication failed.

Category: Account logon

680 – Account used for logon.

681 – The logon account: <client name> by: <source> from workstation <workstation> failed. The error code was <error>.

  

check

check

  

check

check

FIA_UAU.7

None

      

FIA_USB.1

Success and failure of binding user security attributes to a subject (e.g., success and failure to create a subject)

Category: Process tracking

592 – A new process has been created.

  

check

  

check

FMT_MSA.1(a)

All modifications of the values of object security attributes

Category: Object access

560 – Object open.

(Under Description: Accesses, there should be the following entries; AppendData, ReadAttributes and WriteAttributes.)

  

check

  

FMT_MSA.3(a)

Modifications of the default setting of permissive or restrictive rules. All modifications of the initial value of security attributes.

Category: Object access

560 – Object open.

  

check

  

FMT_MTD.1(a)

CAPP – 5.4.3

All modifications to the values of TSF data (audit log creation, deletion, and clearing)

Category: System

517 – The audit log was cleared.

Category: Object access

(Theses events can log direct deletion of the security log files when audit is set on the security log files.)

563 – Object open for delete.

564 – Object deleted.

Category: Privilege use

578 – Privileged object operation.

(Shown as use of SeSecurityPrivilege, with actual changes noted in event 612)

Category: Policy change

612 – Audit policy change.

  

check

check

check

check

  

FMT_MTD.1(b)

CAPP – 5.4.4

All modifications to the values of TSF data (audit log modification - including the new value of the TSF data)

Category: Policy change

612 – Audit policy change.

    

FMT_MTD.1(c)

CAPP – 5.4.5

All modifications to the values of TSF data (user security attributes - including the new value of the TSF data)

Category: Policy change

608 – User right assigned.

609 – User right removed.

Category: Account management

624 – User account created.

625 – User account type changed.

626 – User account enabled.

629 – User account disabled.

630 – User account deleted.

631 – Security enabled Global Group created.

632 – Security enabled Global Group member added.

633 – Security enabled Global Group member removed.

634 – Security enabled Global Group deleted.

635 – Security enabled Local Group created.

636 – Security enabled Local Group member added.

637 – Security enabled Local Group member removed.

638 – Security enabled Local Group deleted.

639 – Security enabled Local Group changed.

641 – Security enabled Global Group changed.

642 – User account changed.

644 – User account locked.

648 – Security disabled Local Group created.

649 – Security disabled Local Group changed.

650 – Security disabled Local Group member added.

651 – Security disabled Local Group member removed.

652 – Security disabled Local Group deleted.

653 – Security disabled Global Group created.

654 – Security disabled Global Group changed.

655 – Security disabled Global Group member added.

656 – Security disabled Global Group member removed.

657 – Security disabled Global Group deleted.

658 – Security enabled Universal Group created.

659 – Security enabled Universal Group changed.

660 – Security enabled Universal Group member added.

661 – Security enabled Universal Group member removed.

662 – Security enabled Universal Group deleted.

663 – Security disabled Universal Group created.

664 – Security disabled Universal Group changed.

665 – Security disabled Universal Group member added.

666 – Security disabled Universal Group member removed.

667 – Security disabled Universal Group deleted.

668 – Group type changed.

  

check

check

  

FMT_MTD.1(d)

CAPP- 5.4.6

All modifications to the values of TSF data (authentication data)

Category: Account management

627 – Change password attempt.

628 – User account password set.

  

check

  

check

FMT_REV.1(a)

CAPP – 5.4.7

All attempts to revoke security attributes (user attributes)

Category: Policy change

609 – User right removed.

Category: Account management

629 – User account disabled.

644 – User account locked.

  

check

check

  

FMT_REV.1(b)

CAPP – 5.4.8

All modifications to the values of TSF data (object attributes)

(See FMT_MSA.1a)

    

FMT_SMR.1

Modifications to the group of users that are part of a role

Every use of the rights of a role. (Additional/ Detailed)

Category: Privilege use

578 – Privileged object operation.

Category: Account management

632 – Security enabled Global Group member added.

633 – Security enabled Global Group member removed.

634 – Security enabled Global Group deleted.

636 – Security enabled Local Group member added.

637 – Security enabled Local Group member removed.

638 – Security enabled Local Group deleted.

639 – Security enabled Local Group changed.

640 – General account database change.

641 – Security enabled Global Group changed.

648 – Security disabled Local Group created.

649 – Security disabled Local Group changed.

650 – Security disabled Local Group member added.

652 – Security disabled Local Group deleted.

654 – Security disabled Global Group changed.

655 – Security disabled Global Group member added.

656 – Security disabled Global Group member removed.

657 – Security disabled Global Group deleted.

659 – Security enabled Universal Group changed.

660 – Security enabled Universal Group member added.

661 – Security enabled Universal Group member removed.

662 – Security enabled Universal Group deleted.

664 – Security disabled Universal Group changed.

665 – Security disabled Universal Group member added.

666 – Security disabled Universal Group member removed.

668 – Group type changed.

  

check

check

  

check

FPT_AMT.1

Execution of the tests of the underlying machine and the results of the test.

Not Applicable

    

FPT_RVM.1

None

      

FPT_SEP.1

None

      

FPT_STM.1

Changes to the time

Category: Privilege use

577 – Privileged service called.

(Shown as use of SeSystemTimePrivilege.)

  

check

  

check

FIA_AFL.1

Logon Failure

(Disabling of account due to meeting a predefined threshold)

Category: Logon

529 – Logon failure: Unknown user name or bad password.

(leading to the lockout)

Category: Account management

642 – User account changed – account locked

644 – User account locked.

  

check

  

check

FIA_UAU.2

The use of the authentication mechanism

Category: Logon

528 – Successful logon.

529 – Logon failure: Unknown user name or bad password.

540 – Successful network logon.

Category: Account logon

680 – Account used for logon.

681 – The logon account: <client name> by: <source> from workstation <workstation> failed. The error code was <error>.

  

check

  

check

FIA_UID.2

All use of the user identification mechanism, including the identity provided during successful attempts

Category: Logon

528 – Successful logon.

529 – Logon failure: Unknown user name or bad password.

535 – Logon failure: The specified account's password has expired.

540 – Successful network logon.

545 – IPSec peer authentication failed.

Category: Account logon

625 – Pre-authentication failed.

681 – The logon account: <client name> by: <source> from workstation <workstation> failed. The error code was <error>.

  

check

  

check

FMT_MOF.1(a)

Audit Policy Changes

Category: Privilege use

578 – Privileged object operation.

(Shown as use of SeSecurityPrivilege.)

Category: Policy change

612 – Audit policy change.

  

check

check

  

check

FMT_MTD.1(g)

Attempt to use an authorized administrator privilege to change the TSF Time

Category: Privilege use

577 – Privileged service called. (Shown as use of SeSystemTimePrivilege.)

  

check

  

TRANSFER_PROT_EX

IPSEC related events

Category: Logon

541 – IPSec security association established.

542 – IPSec security association ended. Mode: Data Protection (Quick mode).

543 – IPSec security association ended. Mode: Key Exchange (Main mode).

544 – IPSec security association establishment failed because peer could not authenticate.

545 – IPSec peer authentication failed.

546 – IPSec security association establishment failed because peer sent invalid proposal.

547 – IPSec security association negotiation failed.

Category: Policy change

613 – IPSec policy agent started.

614 – IPSec policy changed.

615 – IPSec policy agent encountered a potentially serious failure.

616 – IPSec policy agent encountered a potentially serious failure.

  

check

check

  

check

check

FTA_SSL1

Attempt to unlock

Category: Logon

528 – Logon successful (entry 7 is unlock)

529 – Logon failure (entry 7 is unlock)

  

check

  

check

FTA_SSL.2

Attempt to unlock

Category: Logon

528 – Logon successful (entry 7 is unlock)

529 – Logon failure (entry 7 is unlock)

  

check

  

check

FTA_TSE.1

Logon Failure

Category: Logon

535 – Logon failure: The specified account's password has expired.

    

check