C2-level security requirements specify that system administrators must be able to audit security-related events and that access to this audit data must be limited to authorized administrators. The Windows API provides functions enabling an administrator to monitor security-related events.
The security descriptor for a securable object can have a system access control list (SACL). A SACL contains access control entries (ACEs) that specify the types of access attempts that generate audit reports. Each ACE identifies a trustee, a set of access rights, and a set of flags that indicate whether the system generates audit messages for failed access attempts, successful access attempts, or both.
The system writes audit messages to the security event log. For information about accessing the records in a security event log, see Event Logging.
To read or write an object's SACL, a thread must first enable the SE_SECURITY_NAME privilege. For more information, see SACL Access Right.
The Windows API also provides support for server applications to generate audit messages when a client tries to access a private object. For more information, see Auditing Access To Private Objects.