03-30-2009 11:51 AM - edited 03-09-2019 10:10 PM
I have two groups for desktop PCs, with the same policies. In the group I'm using for auditing, most policies are set to audit mode -- at policy level, not rule module level. In the other group, those same policies are not in audit mode.
The original agent kit included membership in both groups, but hosts now belong to one group or the other. The hosts are all polling frequently and are up to date, as is rule generation.
But in the event log, certain events on hosts that are not in the audit group are reporting as "Audit:" events. Why am I getting audit events on hosts in the group where policies are not in audit mode?
03-31-2009 04:50 PM
Your description is a bit confusing because policies cannot be set to audit mode, only groups and rule modules can.
The only way to put a policy in audit mode is to assign it to a group in audit mode.
Any hosts in the audit group have ALL rules in audit mode.
Hosts in the other group should have no audit mode events unless there are some rule modules in audit mode or the host belongs to both groups.
Tom
04-01-2009 09:26 AM
Thank you, Tom, for your reply. Looking at the group details screen in CSA 6, and referencing the Policy Audit Mode documentation, attached policies can be set to audit mode for a group, on a per-policy basis.
I'm seeing logged Audit: events on hosts belonging solely to a group that is not in audit mode, its policies are not in audit mode and the underlying rule modules are not in audit mode. Yet audit events continue in the log for those hosts.
Carole
04-02-2009 07:21 AM
Hello Carole,
Try looking at the assigned rules for one host and see if any show up as audit.
Also, make sure all viewing filters are off.
Yes, a policy can be in audit mode, but only in the context of a group. There is no checkbox as there are for groups and rule modules.
My apologies if I misunderstood.
Tom
10-29-2010 01:59 AM
Hello !
One of the possible answers is Untrusted rootkit state of the host with CSA. When the host loads a driver after the boot and this driver is not trusted then CSA puts host in untrusted rootkit state and after that all events are marked with Audit tag.
Best regards.
Marko
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide