id: audit-logging-disabled

info:
  name: Audit Logging Disabled
  author: princechaddha
  severity: high
  description: Check if audit logging for critical events is disabled.
  impact: |
    Disabling audit logging can lead to a lack of traceability for security incidents and breaches.
  remediation: |
    Enable audit logging for all critical security events to maintain a proper audit trail.
  tags: windows,audit-logging,security,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      AuditPol /get /category:"Account Logon"
      AuditPol /get /category:"Account Management"

    matchers:
      - type: word
        words:
          - "User Account Management                 No Auditing"
          - "Computer Account Management             No Auditing"
          - "Security Group Management               No Auditing"
          - "Credential Validation                   No Auditing"
          - "Kerberos Authentication Service         No Auditing"
# digest: 4b0a00483046022100fe71dabfda7137e13789668bc1e7d21da174b4afffc49f8f543d3935bf723ce40221008dfd322fd276de6bde6bf54d432b1932995c35715d0b50f6d3ebf27b9fb8ba5f:922c64590222798bb761d5b6d8e72950