cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
591
Views
0
Helpful
4
Replies

CSA 6 Continuing Audit Events on Hosts with Non-Audit Policies

ccklinger
Level 1
Level 1

I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.

The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.

But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?

4 Replies 4

tsteger1
Level 8
Level 8

Your description is a bit confusing because policies cannot be set to audit mode, only groups and rule modules can.

The only way to put a policy in audit mode is to assign it to a group in audit mode.

Any hosts in the audit group have ALL rules in audit mode.

Hosts in the other group should have no audit mode events unless there are some rule modules in audit mode or the host belongs to both groups.

Tom

Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.

I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.

Carole

Hello Carole,

Try looking at the assigned rules for one host and see if any show up as audit.

Also, make sure all viewing filters are off.

Yes, a policy can be in audit mode, but only in the context of a group. There is no checkbox as there are for groups and rule modules.

My apologies if I misunderstood.

Tom

m.vuckovic
Level 1
Level 1

Hello !

One of the possible answers is Untrusted rootkit state of the host with CSA. When the host loads a driver after the boot and this driver is not trusted then CSA puts host in untrusted rootkit state and after that all events are marked with Audit tag.

Best regards.

Marko

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: