Prerequisite Audit Policy/Advanced Audit Policies
CliffordRichmond opened this issue · 3 comments
I apologize if this is not the proper avenue, but it was the only one I could recognize. Is it listed anywhere what the baseline audit/advanced audit policy settings/GPOs that need to be in place in order for all these event IDs to exist in the first place (ex. Microsoft Recommended baseline, or secure audit policy settings, or perhaps audit policy settings specific to this repo. -Cliff, CISSP
I venture forward and realized that Advanced Audit Policy settings all appear within the security log, so I think I am good. Although there do seem to be a few settings here that I don't see in Windows 2008 R2 (yes, I know I don't have to worry for long regarding that).
@CliffordRichmond We are working on updating the repository with new events and information. We are considering adding information such as configuration changes needed for an event to be logged (if any change is needed).
Whether in the new information, or off-list, regarding initial locking down event log access; I would also be curious if it is really possible to prevent log clearing (from the local admin group) without dealing with the very scary looking Security Descriptor Definition Language.