CSA 6 Continuing Audit Events on Hosts with Non-Audit Policies

Unanswered Question
Mar 30th, 2009
User Badges:

I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.


The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.


But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tsteger1 Tue, 03/31/2009 - 16:50
User Badges:
  • Red, 2250 points or more

Your description is a bit confusing because policies cannot be set to audit mode, only groups and rule modules can.


The only way to put a policy in audit mode is to assign it to a group in audit mode.


Any hosts in the audit group have ALL rules in audit mode.


Hosts in the other group should have no audit mode events unless there are some rule modules in audit mode or the host belongs to both groups.


Tom

ccklinger Wed, 04/01/2009 - 09:26
User Badges:

Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.


I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.


Carole

tsteger1 Thu, 04/02/2009 - 07:21
User Badges:
  • Red, 2250 points or more

Hello Carole,


Try looking at the assigned rules for one host and see if any show up as audit.


Also, make sure all viewing filters are off.


Yes, a policy can be in audit mode, but only in the context of a group. There is no checkbox as there are for groups and rule modules.


My apologies if I misunderstood.


Tom



m.vuckovic Fri, 10/29/2010 - 01:59
User Badges:

Hello !


One of the possible answers is Untrusted rootkit state of the host with CSA. When the host loads a driver after the boot and this driver is not trusted then CSA puts host in untrusted rootkit state and after that all events are marked with Audit tag.


Best regards.


Marko

Actions

This Discussion