Potentially risky audit failure settings detected
http://go.microsoft.com/fwlink/?LinkId=221409
Target | Microsoft.KnowledgeServices.Windows.Server.2008.AD.DomainControllerRole | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | Alert | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.KnowledgeServices.Library.PowerShellMonitorEx | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default | ||
Comment | SupportTopic=TBD;VersionNumber=1.0.0.0; |
<UnitMonitor ID="Monitor_AK202348" Comment="SupportTopic=TBD;VersionNumber=1.0.0.0;" Accessibility="Public" Enabled="true" Target="MicrosoftKnowledgeServicesWindowsServerADLibrary!Microsoft.KnowledgeServices.Windows.Server.2008.AD.DomainControllerRole" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="KnowledgeServicesLibrary!Microsoft.KnowledgeServices.Library.PowerShellMonitorEx" ConfirmDelivery="true">
<Category>Alert</Category>
<AlertSettings AlertMessage="MonitorMessage668de1f4d035409fb65a13b00d6b35de">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/Property[@Name='IsSecLogDoNotOverwrite']$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>
</OperationalStates>
<Configuration>
<ScriptName>AK202348.ps1</ScriptName>
<Parameters/>
<ScriptBody>
$ErrorActionPreference = "Stop"
# Set up the arguments
$scriptargs = new-object psobject
# Set up the output
$global:scriptoutput = new-object psobject
$scriptoutput | add-member NoteProperty "IsSecLogDoNotOverwrite" $false
$scriptoutput | add-member NoteProperty "HasIssue" $false
#-----------------------------------------------------
# MAIN CODE SECTION
#-----------------------------------------------------
# Environment
$scriptoutput.IsSecLogDoNotOverwrite = $false
$scriptenv = New-Object psobject
$scriptenv | Add-Member ScriptMethod "GetCrashOnAuditFail" -value{
$valReturn = 0
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
if (Test-Path -Path $keyPath)
{
$key = Get-Item -Path $keyPath
$values = Get-ItemProperty $key.PSPath
if(!($values.crashonauditfail -eq $null))
{
$valReturn = $values.crashonauditfail
}
}
return $valReturn
}
$scriptenv | Add-Member ScriptMethod "GetIsSecLogDoNotOverwrite" -Value{
$log = $scriptenv.GetSecurityLogObject()
$valReturn = $false
if(!($log -eq $null))
{
$logOverWriteStatus = $log.OverflowAction
if ($logOverWriteStatus -eq "DoNotOverwrite")
{
$valReturn = $true
}
}
return $valReturn
}
$scriptenv | Add-Member ScriptMethod "GetSecurityLogObject" -Value{
$valReturn = get-eventlog -list | where {$_.log -eq "security"}
return $valReturn
}
#-----------------------------------------------------
# Main User Function
#-----------------------------------------------------
function AdvisorRule($scriptargs, $scriptoutput)
{
# Initialize parameters
$scriptoutput.HasIssue = $false
# Detection Logic
if($scriptenv.GetCrashOnAuditFail() -eq 1)
{
$scriptoutput.IsSecLogDoNotOverwrite = $scriptenv.GetIsSecLogDoNotOverwrite()
$scriptoutput.HasIssue = $true
}
}
AdvisorRule $scriptargs $scriptoutput
# set the output
$mom = new-object -comobject "MOM.ScriptAPI"
$bag = $mom.CreatePropertyBag()
if ($scriptoutput.IsSecLogDoNotOverwrite -ne $null)
{
$bag.AddValue("IsSecLogDoNotOverwrite", $scriptoutput.IsSecLogDoNotOverwrite)
}
if ($scriptoutput.HasIssue -ne $null)
{
$bag.AddValue("HasIssue", $scriptoutput.HasIssue)
}
$bag
</ScriptBody>
<SnapIns/>
<TimeoutSeconds>300</TimeoutSeconds>
<Schedule>86385</Schedule>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="Boolean">Property[@Name='HasIssue']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="Boolean">true</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<Not>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="Boolean">Property[@Name='HasIssue']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="Boolean">true</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Not>
</SuccessExpression>
</Configuration>
</UnitMonitor>