Hi, I discussed this with ISS Support late last year.
If you want to use the feature that "manages" the auditing,
you have to have the audit flags set the way the product
wants. If you set it any other way (i.e. the way YOU want
them to be set, or the way that your security policy says it
MUST be set), then the product will set the flags back the
way it wants it.
I asked support for a way to combine what the product considered
mandatory and what I wanted, but the response was that it must
be either/or. Either what the product demands, or what you need
and forego that functionality in the product.
It was a case of:
"theres just no demand for this enhancement, you're only
the 14th person today to ask for that"
Sorry if this is not the response you wanted, maybe if we all
ask for an enhancement request, we may get this changed:
mailto://[EMAIL PROTECTED]
Ross Wakelin
Solutions Architect
MIEEE, MACM, CCSA, MCSE
gen-i
technology*passion*success
Charles Luney House, Christchurch, New Zealand
Ph: +64 3 353 0800
Mob: +64 21 334 380
E-mail: [EMAIL PROTECTED]
Web: www.gen-i.co.nz
* The Might Of Our People Equals The Power Of Our Company *
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Dryburgh, Andrew
Sent: Tuesday, 10 February 2004 3:46 a.m.
To: [EMAIL PROTECTED]
Subject: [ISSForum] Server Sensor7.0 and Windows auditing.
***** THIS EMAIL WAS SENT VIA THE INTERNET *****
Hi All,
I have found that our security event logs are filling up rapidly due to
logging Successful Object Access - making them hard to manage. I want to
change the Windows audit policy to only log failed object accesses,
according to NSA guidelines, but when I do server sensor seems to overwrite
the setting putting it back to success, failure. I know there is an
audit.policy file on the sensor but I can't find anywhere to administer it
from. Does server sensor require a certain auditing configuration to
function properly? Does it need to have successful object accesses audited?
Any help would be much appreciated.
Andy
**********************************************************************
This email is privileged, confidential and subject to copyright.
Any unauthorised use or disclosure of its content is prohibited.
The views expressed in this communication may not necessarily be the views
held by Scottish Borders Council
**********************************************************************
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
######################################################################
This e-mail message has been scanned and cleared by MailMarshal at
http://www.gen-i.co.nz
######################################################################
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
