Group ID (Vulid): V-1080 Group

Title: File Auditing Configuration

Rule ID: SV-29471r1_rule

Severity: CAT II

Rule Version (STIG-ID): 2.007

Rule Title: File-auditing configuration does not meet minimum
requirements.

Vulnerability discussion: Improper modification of the core system
files can render a system inoperable. Further,modifications to these
system files can have a significant impact on the security
configuration of the system. Auditing of significant modifications
made to the system files provides a method of determining the
responsible party.

False Positives: Automated checking sometimes reports this as a false
finding. If a manual review of a questionable finding shows auditing
to be set correctly,then this would not be a finding.

Responsibility: System Administrator IAControls: ECAR-1,ECAR-2,
ECAR-3

Check Content: If system-level auditing is not enabled,or if the
system and data partitions are not installed on NTFS partitions,then
mark this as a finding.

Open Windows Explorer and use the file and folder properties function
to verify that the audit settings on each partition/drive is
configured to audit all “failures” for the “Everyone” group.

If any partition/drive is not configured to at least the minimum
requirement,then this is a finding.

Fix Text: Configure auditing on each partition/drive to audit all
“Failures” for the “Everyone” group.

我需要使用Windows文件审核记录整个本地磁盘(C :)的Windows Vista文件访问失败.通过全新安装的Windows Vista Business SP2,我以本地管理员身份登录.在Windows资源管理器中,我选择C：,属性,高级,审核,继续,继续.为Everyone添加审核条目.应用于“此文件夹,子文件夹和文件”.检查“完全控制”是否失败.保留“仅将此审核条目应用于此容器内的对象和/或容器”未选中.好的,申请.

单击“应用”后,我会收到数十个“访问被拒绝”错误消息,其中包含各种与操作系统相关的文件夹和文件.

An error occurred while applying security information to:

File path

Access is denied.

要么

An error occurred while applying security information to:

File path

The process cannot access the file because it is being used by another
process.

我尝试了C：的所有权,但是当我尝试这样做时我也遇到了错误.是否有一种简单的方法可以通过批处理脚本或通过Windows GUI为每个人启用完整的审核：而不会为操作系统控制的文件和文件夹获取数十条错误消息？如果有触发“访问被拒绝”的内容,我可以跳过它而不必在错误弹出窗口中单击“确定”吗？