Security events failure auditing (Windows)

Module: System Auditing

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check verifies that specified, failed security events are being audited. Use the Keys lists to specify which failed security events should be audited.

The following table lists the error messages for the check.

Table: Error messages for Security events failure auditing

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_SEC_EVENT_AUDIT_NOT_ENABLED Category: Policy Compliance	Windows 2000 (106130) Windows 2003 (206130) Windows 2008 (249130) Windows Vista (229130) Windows XP (201130)	Title: Security event auditing is not enabled Description:Security event auditing is not enabled. Audit trails will not be generated. Enable security event auditing to be able to track unauthorized users during or after a break-in.	Severity: red-4 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: ESM_SEC_EVENT_SETTING_TOO_WEAK Category: Policy Compliance	Windows 2000 (106131) Windows 2003 (206131) Windows 2008 (249131) Windows Vista (229131) Windows XP (201131)	Title: Security event audit settings are too weak Description:Security event audit settings are weaker than those specified in your Symantec ESM security policy. Some actions on this system will not be audited unless the related action settings are enabled. Change the event audit settings to match the policy.	Severity: yellow-1 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_SEC_EVENT_AUDIT_NOT_ENABLED

Category: Policy Compliance

Windows 2000 (106130)
Windows 2003 (206130)
Windows 2008 (249130)
Windows Vista (229130)
Windows XP (201130)

Title: Security event auditing is not enabled

Description:Security event auditing is not enabled. Audit trails will not be generated. Enable security event auditing to be able to track unauthorized users during or after a break-in.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: ESM_SEC_EVENT_SETTING_TOO_WEAK

Category: Policy Compliance

Windows 2000 (106131)
Windows 2003 (206131)
Windows 2008 (249131)
Windows Vista (229131)
Windows XP (201131)

Title: Security event audit settings are too weak

Description:Security event audit settings are weaker than those specified in your Symantec ESM security policy. Some actions on this system will not be audited unless the related action settings are enabled. Change the event audit settings to match the policy.

Severity: yellow-1

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]