windows-vista – Vista失败审计

前端之家收集整理的这篇文章主要介绍了windows-vista – Vista失败审计前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我需要满足 government security requirements才能运送我的产品.以下是我想要满足的具体要求:

Group ID (Vulid): V-1080 Group

Title: File Auditing Configuration

Rule ID: SV-29471r1_rule

Severity: CAT II

Rule Version (STIG-ID): 2.007

Rule Title: File-auditing configuration does not meet minimum
requirements.

Vulnerability Discussion: Improper modification of the core system
files can render a system inoperable. Further,modifications to these
system files can have a significant impact on the security
configuration of the system. Auditing of significant modifications
made to the system files provides a method of determining the
responsible party.

False Positives: Automated checking sometimes reports this as a false
finding. If a manual review of a questionable finding shows auditing
to be set correctly,then this would not be a finding.

Responsibility: System Administrator IAControls: ECAR-1,ECAR-2,
ECAR-3

Check Content: If system-level auditing is not enabled,or if the
system and data partitions are not installed on NTFS partitions,then
mark this as a finding.

Open Windows Explorer and use the file and folder properties function
to verify that the audit settings on each partition/drive is
configured to audit all “failures” for the “Everyone” group.

If any partition/drive is not configured to at least the minimum
requirement,then this is a finding.

Fix Text: Configure auditing on each partition/drive to audit all
“Failures” for the “Everyone” group.

我需要使用Windows文件审核记录整个本地磁盘(C :)的Windows Vista文件访问失败.通过全新安装的Windows Vista Business SP2,我以本地管理员身份登录.在Windows资源管理器中,我选择C:,属性,高级,审核,继续,继续.为Everyone添加审核条目.应用于“此文件夹,子文件夹和文件”.检查“完全控制”是否失败.保留“仅将此审核条目应用于此容器内的对象和/或容器”未选中.好的,申请.

单击“应用”后,我会收到数十个“访问被拒绝”错误消息,其中包含各种与操作系统相关的文件夹和文件.

An error occurred while applying security information to:

File path

Access is denied.

要么

An error occurred while applying security information to:

File path

The process cannot access the file because it is being used by another
process.

我尝试了C:的所有权,但是当我尝试这样做时我也遇到了错误.是否有一种简单的方法可以通过批处理脚本或通过Windows GUI为每个人启用完整的审核:而不会为操作系统控制的文件文件获取数十条错误消息?如果有触发“访问被拒绝”的内容,我可以跳过它而不必在错误弹出窗口中单击“确定”吗?

我,可能是所有系统管理员,都会引导您在整个驱动器上使用Auditing,尤其是工作驱动器.由于仅有大量的审计,这才有可能使您的系统陷入停滞状态.

每个人组都不是你想象的那样.如果您正在寻找已登录的物理人类,那么这不是您要审核的正确组. . .

请记住,很多读写操作都会失败.这是因为这是查找文件是否存在的便宜且快速方法.如果您尝试创建文件,大多数(如果不是全部)程序将尝试按该名称打开文件.如果它存在,Windows将返回一个文件,程序只是发出一个错误:“文件存在.”这比通过目录列表并检查文件名是否已被使用要快得多.

再次,请记住这里的审计引擎的负担.文件系统将正常运行,但审计引擎必须基本保持正常.每次打开和关闭句柄时,审计引擎都必须检查它是否是由NTFS故障引起的.考虑到不仅由操作系统创建的大量句柄,而且只是通过运行正常程序,这可能会使您的操作系统停滞不前.

An error occurred while applying security information to:

File path

The process cannot access the file because it is being used by another process.

错误消息解释了这一切.该文件正由另一个程序或OS可能使用.尝试在操作系统使用时修改文件可能会导致操作系统崩溃.

An error occurred while applying security information to:

File path

Access is denied.

一般来说,当某人经历了阻止你甚至系统所有者访问该文件的努力时,通常是有原因的.

所以问题是. . .
你想做什么?

如果你准确地解释你打算做什么,这将对我们有很大的帮助.你的目标是什么?您是否尝试跟踪登录用户的活动?这可能是最糟糕的做法.你想跟踪流氓程序吗?这不是你想要这样做的方式.

编辑

现在我已经阅读了荒谬的要求,我们已经转移到ServerFault,希望我们能找到一个处理这个废话的人.

猜你在找的Windows相关文章