Info - NT auditing

Every audit event has the following 10 fields.

• Date
• Time
• User - if the action was done by a server, this is the client id
• Computer
• Event ID
• Source
• Type - either success or fail
• Category
• Description
• Data - event specific data. Can be used as a mini-core dump.

Additional fields are located within the Description and are based on the Category of the event. Here is a list of audit categories and their events. The information is presented as follows. 

• Audit category
• information recorded
1. numbering of audit fields
• event number - event name (# of the fields that are in the audit log)
• Audit category
• event number - event name
• audit fields

• System Event
• 512 - System Restart
• 513 - System Shutdown
• 514 - Authentication Package Load
• Authentication Package
• 515 - Logon Process Registered
• Logon Process Name
• 516 - Some Audit Event Records Discarded
• Number of audit messages discarded
• 517 - Audit Log Cleared
• Logon/Logoff
• Information recorded
1. Reason
2. User Name
3. Domain
4. Logon ID
5. Logon Type - the method of logon. (i.e. 2 for normal logon, 3 for remote)
6. Logon Process
7. Authentication Package
• 528 - Successful Logon (2-7)
• 529 - Unknown Username or Bad Password (1-3, 5-7)
• 531 - Account Currently Disabled (1-3, 5-7)
• 534 - Logon Type Restricted (1-3, 5-7)
• 535 - Password Expired (1-3, 5-7)
• 537 - Unsuccessful Logon (1-3, 5-7)
• 538 - User Logoff (2-5)
• Object Access
• 560 - Object Open
• Object Server
• Object Type
• Object Name
• New Handle ID - if its a kernel object, it is unique only to that process. If it is a server object, it is unique across all processes.
• Operation ID - this is used to group events that are part of the same operation. It is unique only to the process performing the operation.
• Process ID
• Primary User Name
• Primary Domain
• Primary Login ID
• Client User Name
• Client Domain
• Client Logon ID
• Accesses
• Priviledges
• 562 - Handle Closed
• Object Server
• Handle ID
• Process ID
• Privilege Use
• 576 - Special Privilege Assigned
• User Name
• Domain
• Logon ID
• Assigned
• 577 - Privileged Service Called
• Service
• Server
• Process ID
• Primary User Name
• Primary Domain
• Primary Logon ID
• Client Use Name
• Client Domain
• Client Logon ID
• Privileges
• 578 - Priviledge Object Operation
• Object Type
• Object Name
• Object Server
• Process ID
• Primary User Name
• Primary Domain
• Primary Logon ID
• Client Use Name
• Client Domain
• Client Logon ID
• Privileges
• Account Management
• Information recorded
1. Member
2. New/Target Account Name
3. New/Target Domain
4. New/Target Account ID
5. Caller User Name
6. Caller Domain
7. Caller Logon ID
8. Privileges
• 624 - User Account Created (2-8)
• 642 - User Account Changed (2-7)
• 630 - User Account Deleted (2-7)
• 632 - Global Group Member Added (1-7)
• 633 - Global Group Member Removed (1-7)
• 635 - Local Group Created (2-7)
• 636 - Local Group Member Added (1-8)
• 637 - Local Group Member Removed (1-8)
• 639 - Local Group Changed (2-7)
• 638 - Local Group Deleted (2-7)
• Policy Change
• 608 - User Right Assigned
• User Right
• Assigned To
• User Name
• Domain
• Logon ID
• 609 - User Right Removed
• User Right
• Removed From
• User Name
• Domain
• Logon ID
• 612 - Audit Policy Change
• New Policy
• User Name
• Domain
• Logon ID
• Detailed Tracking
• 592 - New Process Has Been Created
• New Process ID
• Image File Name
• Creator Process ID
• User Name
• Domain
• Logon ID
• 593 - Process Has Exited
• Process ID
• User Name
• Domain
• Logon ID
• 594 - Handle Duplicated
• Source Handle ID
• Source Process ID
• New Handle ID
• Target Process ID
• 595 - Indirect Access to Object
• Object Type
• Object Name
• Via Handle ID
• Object Server
• Process ID
• Primary User Name
• Primary Domain
• Primary Logon ID
• Client User Name
• Client Domain
• Client Logon ID
• Accesses Granted

Registry Changes that affect auditing: 

NT does not normally record the use of the Back Up Files and Directories and the Restore Files and Directories rights required to do backups and restores..  To enable full auditing of these privileges make the following change in the registry. 

Hive: HKEY_LOCAL_MACHINE\System   
Key: \CurrentControlSet\Control\Lsa  
Name: FullPrivilegeAuditing 
Type: REG_BINARY  
Value: 1 

The use of the following rights are never audited, by the assignment of them is. 

• Bypass traverse checking (SeChangeNotify) 
• Generate security audits (SeAuditPrivilege) 
• Create a token object (SeCreateTokenPrivilege) 
• Debug programs (SeDebugPrivilege) 
• Create a new security context for a new logon (AssignPrimaryToken) 

To prevent auditable activities when the audit log is full, change the following registry key

Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\Lsa
Name: CrashOnAuditFail
Type: REG_DWORD
Value: 1

When the log becomes full, the system crashs and must be restarted. After it is restarted, the log is full, so no events are audited. The log must be cleared and the above value reset.


Standard objects that are auditing in NT include files, directories, printers, and registry keys. 

To audit these standard objects, first it must be enabled with the user manager.  Then, the type of auditing to be performed must be specified on each object using either the file manager, print manager, or registry editor. 

To enable base objects (objects invisible to the user), make the following change to the registry. 

Hive: HKEY_LOCAL_MACHINE\SYSTEM  
Key: \CurrentControlSet\Control\Lsa  
Name: AuditBaseObjects  
Type: REG_DWORD  
Value: 1 

A full description of these base objects are located in MSDN level 2. 

Auditing Base Objects generates significantly more audit events. The results of a simple experiment can be found here. 


Logging management information is stored in:
HKEY_LOCAL_MACHINE 
  SYSTEM 
    CurrentControlSet 
      Services 
        EventLog 
          Application 
          Security 
          System 

The following operations can be performed on event logs

Operation                 Function

Backup                     BackupEventLog
Clear                        ClearEventLog
Query                       GetOldestEventLogRecord, GetNumberOfEventLogRecords
Read                         ReadEventLog
Write                         ReportEvent

It also provides the following operations to be performed on event log handles:  OpenEventLog, OpenBackupEventLog, RegisterEventSource, DeregisterEventSource, and CloseEventLog.

Problems 

The full range of base objects and operations that are performed on them. 

How NT stores the audit log. 
    Apparently, information is stored in the directory "Winnt/system32/config".  The .evt files store the record of events.  However, these files are not updated as new events are generated.  Other files in that directory, such as Security and Security.log, are apparently updated as events are generated, but they are constantly in use by the system and, thus, are locked and cannot be read. 

The binary representation of the .evt files. 
    These files can be accessed using the Win32 event logging API which are documented on the MSDN  CD.  These files can also be saved as text or comma delimited text files using the event manager.