CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include:

 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.  4615 : Invalid use of LPC port.  4618 : Amonitored security event pattern has occurred.  4816 : RPC detected an integrity violation while decrypting an incoming message.  5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.  5056: A cryptographic self test was performed.  5057: A cryptographic primitive operation failed.  5060: Verification operation failed.  5061: Cryptographic operation.  5062: A kernel-mode cryptographic self test was performed.

The recommended state for this setting is: Success and Failure .

Rationale:

Auditing these events may be useful when investigating a security incident.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

Remediation:

To establish the recommended configuration via GP, set the following UI path to Success and Failure:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit System Integrity

499 | P a g e