Manual configuration of the Local Audit Policies in Windows
To manually configure the audit policies needed to run Syscheck's whodata mode, it is necessary to activate the capture of successful events. You can do it from the Local Group Policy Editor using the following command:
gpedit.msc
Advanced Audit Policy Configuration section method
Recommended option to configure policies. You have to activate the following options:
Object Access -> File System
Object Access -> Handle Manipulation
Audit Policy section method
This option is only recommended if the previous method cannot be followed because your host is Windows Vista or Windows Server 2008. To do this, edit the following policy:
Security Settings -> Local Policies -> Audit Policy -> Audit object access