Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Specifically defined auditable events from table 10
Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile
Windows Logs/Security: 1103
Table 1: FAU_GEN.1 audits
The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.
Administrative Action
Id
configure password policy:
minimum password length
minimum password complexity
maximum password lifetime
Windows Logs/Security: 4739
configure session locking policy:
screen-lock enabled/disabled
screen lock timeout
number of authentication failures
Windows Logs/Security: 4657
enable/disable the VPN protection:
across device
[b. on a per-app basis
c. no other method]
Windows Logs/Security:
Enable: 4651, 5451
Disable: 4655, 5452
enable/disable [Wi-Fi, Bluetooth]
WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable)
Bluetooth: Windows Logs/Security: 4657
enable/disable [camera, microphone]:
across device [
b. on a per-app basis
c. no other method]
Camera: Windows Logs/Security: 4657
Microphone: Microsoft-Windows-Audio/Operational: 65
specify wireless networks (SSIDs) to which the TSF may connect
configure security policy for each wireless network:
[selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)]
enable/disable bypass of local user authentication
N/A
wipe Enterprise data
N/A
approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database
N/A
configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate
4950
enable/disable the cellular protocols used to connect to cellular network base stations
N/A
read audit logs kept by the TSF
Windows Logs/Security: 4673
configure [certificate] used to validate digital signature on applications
Import certificate: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006
USB data transfer without authentication of the connecting system]
N/A
enable/disable backup to [remote system]
Windows Logs/Security: 4657
enable/disable [selection:
Hotspot functionality authenticated by [selection: pre-shared key, passcode, no authentication],
USB tethering authenticated by [selection: pre-shared key, passcode, no authentication]]
N/A
approve exceptions for sharing data between [selection: application processes, groups of application processes]
N/A
place applications into application process groups based on [assignment: application characteristics]
N/A
enable/disable location services:
across device
[
b. on a per-app basis
c. no other method]
Windows Logs/Security: 4657
[none]
N/A
Table 2: Administrative Actions audits
Requirement
Description
Additional Record Contents
Log: Event Id
FAU_SEL.1
All modifications to the audit configuration that occur while the audit collection functions are operating.
No additional Information.
Windows Logs/Security: 4719
FCS_CKM_EXT.1
[generation of a REK]
No additional Information.
Windows Logs/System: 24
FCS_CKM_EXT.5
Success or failure of the wipe.
No additional Information.
Windows Logs/System:
Success: 12
Failure: 4502
FCS_CKM.1(1)
Failure of key generation activity for authentication keys.
No additional Information.
Microsoft-Windows-Crypto-NCrypt: 4
FCS_HTTPS_EXT.1
Failure of the certificate validity check.
Issuer Name and Subject Name of certificate. [No additional information].
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FCS_RBG_EXT.1
Failure of the randomization process.
No additional information.
Windows Logs -> System: 20
FCS_STG_EXT.1
Import or destruction of key. [No other events]
Identity of key. Role and identity of requestor.
Import: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient/Lifecycle-System: 1006
Destruction: Windows Logs/System: 12
FCS_STG_EXT.3
Failure to verify integrity of stored key.
Identity of key being verified.
Microsoft-Windows-Crypto-NCrypt: 3
(Task Category: Open Key Failure)
FCS_TLSC_EXT.1
Failure to establish an EAP-TLS session.
Windows Logs -> System : 36888
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
Establishment/termination of an EAP-TLS session.
Establishment : Windows Logs -> System : 36880
Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
FCS_TLSC_EXT.2
Failure to establish a TLS session.
Reason for failure.
Windows Logs -> System : 36888
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
Failure to verify presented identifier.
Presented identifier and reference identifier.
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Establishment/termination of a TLS session.
Non-TOE endpoint of connection.
Establisment : Windows Logs -> System
Source: Schannel : 36880
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
FDP_DAR_EXT.1
Failure to encrypt/decrypt data.
No additional information.
Windows Logs -> System : 24588
FDP_STG_EXT.1
Addition or removal of certificate from Trust Anchor Database.
Subject name of certificate.
Applications and Services Logs -> Microsoft -> Windows:
Logged: This event along with no other earlier events indicates a wipe has occurred.
16
Windows Logs -> System
Source: BTHUSB
The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address failed.
Logged:
Data:
19
Windows Logs -> System
Installation Successful: Windows successfully installed the following update:
Logged:
Security ID:
updateTitle:
updateGuid:
serviceGuid:
updateRevisionNumber:
20
Windows Logs -> System
Source: Kernel-Boot
The last boot’s success was .
Logged:
LastBootGood:
21
Windows Logs -> System
Source: Kernel-Boot
The OS loader advanced options menu was displayed and the user selected option
Logged:
OptionSelected:
Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.
24
Windows Logs -> System
Source: TPM
The Trusted Platform Module (TPM) status: and .
Logged:
30
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Attempted to turn of workplace device management. Result is
Logged:
Security:
Remediation action removed Enterprise apps.
801
Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration
Enable PnP device.
830
Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration
Disable PnP device
1004
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational
A certificate has been deleted
Logged:
Security ID:
SubjectNames:
Thumbprint:
EKUs:
NotValidAfter: :
1006
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational
A new certificate has been installed.
Logged:
Subject:
Thumbprint:
1015
Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> Operational
Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf
Logged:
3004
Windows Logs -> System
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged:
Level:
Task category:
User:
Machine:
General Description:
4502
Microsoft-Windows-ResetEng
Attempt to restore the system to original condition has failed. Changes to the system have been undone.
Logged:
4608
Windows Logs -> Security
Subcategory: Security State Change
Startup of audit functions
Logged:
Task category:
Keywords:
4624
Windows Logs -> Security
Subcategory: Logon
An account was successfully logged on.
Logged:
Security ID:
Account Name:
Account Domain:
Workstation Name:
Logon Type:
LogonID:
Source Network Address:
4651
Windows Logs -> Security
Subcategory: IPsec Main Mode
IPsec main mode security association was established. A certificate was used for authentication.
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Local Certificate:
Remote Certificate:
Cryptographic Information:
Keywords:
4655
Windows Logs -> Security
Subcategory: IPsec Main Mode
Windows Logs -> Security
Subcategory: System Integrity
Key file operation
Logged:
Task category:
Subject:
Cryptographic Parameters:
Key file operation information:
5061
Windows Logs -> Security
Subcategory: System Integrity
Cryptographic operation.
Logged:
Task category:
Subject:
Cryptographic parameters:
Cryptographic operation:
5447
Windows Logs -> Security
Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged:
Task category:
Change type:
Filter ID:
Filter Name:
Layer ID:
Layer Name:
Additional Information:
5450
Windows Logs -> Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged:
Task category:
Change type:
Sub-layer ID:
Sub-layer Name:
5451
Windows Logs -> Security
Subcategory: IPsec Quick Mode
IPsec quick mode security association was established
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Cryptographic Information:
Keywords:
5452
Windows Logs -> Security
Subcategory: IPsec Quick Mode
IPsec quick mode security association ended
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Cryptographic Information:
Keywords:
5038
Windows Logs -> Security
Subcategory: System Integrity
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged:
Task category:
File Name: < file failing integrity check>
5446
Windows Logs -> Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform callout has been changed
Logged:
Task category:
Change type:
Callout ID:
Callout Name:
Layer ID:
Layer Name:
Keywords:
5447
Windows Logs -> Security
Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged:
Task category:
Change type:
Filter ID:
Filter Name:
Layer ID:
Layer Name:
Additional Information:
5450
Windows Logs -> Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged:
Task category:
Change type:
Sub-layer ID:
Sub-layer Name:
8000
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service started a connection to a wireless network
Logged:
Network Adapter:
8001
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully connected to a wireless network
Logged:
SSID: (non-TOE endpoint of connection)
Authentication: WPA2-Enterprise (protocol)
802.1x Enabled: Yes (protocol)
8003
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnected from a wireless network
Logged:
SSID: < Wireless network name> (non-TOE endpoint of connection)
8003
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnectd from a wireless network
Logged:
Network Adapter:
11001
Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless network association succeeded
Logged:
Network Adapter:
Local MAC address:
11004
Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless security stopped
Logged:
Network Adapter:
Local MAC address:
11010
Applications and Services Logs -> Microsoft -> Windows -> WLAN-AutoConfig -> Operational
Bitlocker finalization sweep completed for volume :
Logged:
Security UserID:
Volume:
24588
Windows Logs -> System
The conversion operation on volume encountered a bad sector error.
Logged:
Volume:
36880
Windows Logs -> System
Source: Schannel
An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Logged:
Protocol:
CipherSuite:
36888
Windows Logs -> System
Source: Schannel
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.
Logged:
Reason for failureProtocol:
The following are the possible error codes:
Description
Error Code Value
Unexpected message
10
Bad record MAC
20
Record overflow
22
Decompression fail
30
Handshake failure
40
Illegal parameter
47
Unknown CA
48
Access denied
49
Decode error
50
Decrypt error
51
Protocol version
70
Insufficient security
71
Internal error
80
Unsupported extension
110
Recovery Screen
Windows Logs -> System and Display
System event Id 20 is recorded by source Kernel-Boot indicating event data “LastBootGood” as “false”. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen.
Wipe Failure Screen
Display
There was a problem resetting your PC. No changes were made.
On logon a message is displayed to the user indicating that the recovery operation of the system failed.
Bitlocker recovery
Display
Bitlocker recovery
On startup a message is displayed requesting the Bitlocker recovery key