Home
  •  

AK202348

Monitor_AK202348 (UnitMonitor)

Potentially risky audit failure settings detected

Knowledge Base article:

External

http://go.microsoft.com/fwlink/?LinkId=221409

Element properties:

TargetMicrosoft.KnowledgeServices.Windows.Server.2008.AD.DomainControllerRole
Parent MonitorSystem.Health.ConfigurationState
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.KnowledgeServices.Library.PowerShellMonitorEx
RemotableTrue
AccessibilityPublic
Alert Message
Potentially risky audit failure settings detected
<Details>
<Content>The registry value for CrashOnAuditFail is set to ‘1’ and the value for event log wrapping is set to ‘Do not overwrite events older than (x) days' on this domain controller. The number of audit events generated on domain controllers is typically high and can quickly fill up the security event log, which in turn will cause the domain controller to perform a deliberate crash once the event log is full.

See the Knowledge Base article for more information on how to address this issue.</Content>
<CollectedInformation>
<Info>
<Name>Security Event Log Configured as 'Do Not Overwrite Events'</Name>
<Value>{0}</Value>
</Info>
</CollectedInformation>
</Details>
RunAsDefault
CommentSupportTopic=TBD;VersionNumber=1.0.0.0;

Source Code:

<UnitMonitor ID="Monitor_AK202348" Comment="SupportTopic=TBD;VersionNumber=1.0.0.0;" Accessibility="Public" Enabled="true" Target="MicrosoftKnowledgeServicesWindowsServerADLibrary!Microsoft.KnowledgeServices.Windows.Server.2008.AD.DomainControllerRole" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="KnowledgeServicesLibrary!Microsoft.KnowledgeServices.Library.PowerShellMonitorEx" ConfirmDelivery="true">

  <Category>Alert</Category>

  <AlertSettings AlertMessage="MonitorMessage668de1f4d035409fb65a13b00d6b35de">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='IsSecLogDoNotOverwrite']$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <ScriptName>AK202348.ps1</ScriptName>

    <Parameters/>

    <ScriptBody><Script>



$ErrorActionPreference = "Stop"



# Set up the arguments

$scriptargs = new-object psobject



# Set up the output

$global:scriptoutput = new-object psobject

$scriptoutput | add-member NoteProperty "IsSecLogDoNotOverwrite" $false

$scriptoutput | add-member NoteProperty "HasIssue" $false

#----------------------------------------------------- 

# MAIN CODE SECTION

#----------------------------------------------------- 



# Environment



$scriptoutput.IsSecLogDoNotOverwrite = $false



$scriptenv = New-Object psobject



$scriptenv | Add-Member ScriptMethod "GetCrashOnAuditFail" -value{

	$valReturn = 0

	$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"

	if (Test-Path -Path $keyPath)

	{

		$key = Get-Item -Path $keyPath

		$values = Get-ItemProperty $key.PSPath

		if(!($values.crashonauditfail -eq $null))

		{

			$valReturn = $values.crashonauditfail

		}

	}

	return $valReturn

}



$scriptenv | Add-Member ScriptMethod "GetIsSecLogDoNotOverwrite" -Value{

	

	$log = $scriptenv.GetSecurityLogObject()

	

	$valReturn = $false

	if(!($log -eq $null))

	{

		$logOverWriteStatus = $log.OverflowAction

		if ($logOverWriteStatus -eq "DoNotOverwrite")

		{

			$valReturn = $true

		}

	}

	

	return $valReturn

}



$scriptenv | Add-Member ScriptMethod "GetSecurityLogObject" -Value{

	$valReturn = get-eventlog -list | where {$_.log -eq "security"}

	return $valReturn

}



#----------------------------------------------------- 

# Main User Function 

#----------------------------------------------------- 



function AdvisorRule($scriptargs, $scriptoutput)

{ 	

	# Initialize parameters

	$scriptoutput.HasIssue = $false

	# Detection Logic



	if($scriptenv.GetCrashOnAuditFail() -eq 1)

	{	

		$scriptoutput.IsSecLogDoNotOverwrite = $scriptenv.GetIsSecLogDoNotOverwrite()

		$scriptoutput.HasIssue = $true

	}

}

AdvisorRule $scriptargs $scriptoutput



# set the output

$mom = new-object -comobject "MOM.ScriptAPI"

$bag = $mom.CreatePropertyBag()



if ($scriptoutput.IsSecLogDoNotOverwrite -ne $null)

{

	$bag.AddValue("IsSecLogDoNotOverwrite", $scriptoutput.IsSecLogDoNotOverwrite)

}



if ($scriptoutput.HasIssue -ne $null)

{

	$bag.AddValue("HasIssue", $scriptoutput.HasIssue)

}



$bag



</Script></ScriptBody>

    <SnapIns/>

    <TimeoutSeconds>300</TimeoutSeconds>

    <Schedule>86385</Schedule>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="Boolean">Property[@Name='HasIssue']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="Boolean">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <Not>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="Boolean">Property[@Name='HasIssue']</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="Boolean">true</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </Not>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>