Exchange must have Audit record parameters set.

From MS Exchange 2013 Client Access Server Security Technical Implementation Guide

Part of SRG-APP-000089

Associated with: CCI-000169

SV-84355r1_rule Exchange must have Audit record parameters set.

Vulnerability discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged.Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.

Check content

Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig | Select Name, Identity, AdminAuditLogParameters If the value of AdminAuditLogParameters is not set to {*}, this is a finding. Note: The value of {*} indicates all parameters are being audited.

Fix text

Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogParameters *

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer