Exchange Audit record parameters must be set.

From MS Exchange 2013 Mailbox Server Security Technical Implementation Guide

Part of SRG-APP-000089

Associated with: CCI-000169

SV-84573r1_rule Exchange Audit record parameters must be set.

Vulnerability discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.

Check content

Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig | Select AdminAuditLogParameters Note: The value of {*} indicates all parameters are being audited. If the value of AdminAuditLogParameters is not set to {*}, this is a finding.

Fix text

Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogParameters *

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer