2.2.4 Event Audit Policies

This section defines settings that enable an administrator to enforce audit account logon events. The syntax for the entries in this category MUST be as follows.

 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = "Event Audit"
 Settings = Setting / Setting Settings
 Setting = Key Wsp "=" Wsp Value Linebreak
 Key = "AuditSystemEvents" / "AuditLogonEvents" / "AuditPrivilegeUse" /
  "AuditPolicyChange" / "AuditAccountManage" / "AuditProcessTracking" /
  "AuditDSAccess" / "AuditObjectAccess" / "AuditAccountLogon"
  
 Value = 1*DIGIT

The following table provides an explanation for the valid keys as specified in [MS-LSAD] section 2.2.4.20.

Note All numerical values are decimal unless explicitly specified otherwise, or unless preceded by 0x.

Setting key

Explanation

AuditAccountManage

A flag that indicates whether the operating system MUST audit each event of account management on a computer.

AuditDSAccess

A security setting that determines whether the operating system MUST audit each instance of user attempts to access an Active Directory object that has its own system access control list (SACL) specified, if the type of access request (such as Write, Read, or Modify) and the account making the request, match the settings in the SACL. The administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged each time any user successfully accesses an Active Directory object that has a matching SACL specified. If Failure auditing is enabled, an audit entry MUST be logged each time any user unsuccessfully attempts to access an Active Directory object that has a matching SACL specified.

AuditAccountLogon

A security setting that determines whether the operating system MUST audit each time this computer validates the credentials of an account. Account logon events are generated whenever a computer validates the credentials of one of its local accounts. The credential validation can be in support of a local logon, or in the case of an Active Directory domain account on a domain controller (DC), can be in support of a logon to another computer. Audited events for local accounts MUST be logged on the local security log of the computer. Account log off does not generate an event that can be audited. If this policy setting is defined, the administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures).

AuditLogonEvents

A security setting that determines whether the operating system MUST audit each instance of a user attempt to log on or log off this computer. Logoff events are generated whenever the logon session of a logged-on user account is terminated. If this policy setting is defined, the administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures).

AuditObjectAccess

A security setting that determines whether the operating system MUST audit each instance of user attempts to access a non-Active Directory object that has its own SACL specified, if the type of access request (such as Write, Read, or Modify) and the account making the request, match the settings in the SACL. The administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged each time any user successfully accesses a non-Active Directory object that has a matching SACL specified. If Failure auditing is enabled, an audit entry MUST be logged each time any user unsuccessfully attempts to access a non-Active Directory object that has a matching SACL specified.

AuditPolicyChange

A security setting that determines whether the operating system MUST audit each instance of user attempts to change user rights assignment policy, audit policy, account policy, or trust policy. The administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged when an attempted change to user rights assignment policy, audit policy, or trust policy is successful. If Failure auditing is enabled, an audit entry MAY be logged when a change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change.<4>

AuditPrivilegeUse

A security setting that determines whether the operating system MUST audit each instance of user attempts to exercise a user right. If this policy setting is defined, the administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged each time the exercise of a user right succeeds. If Failure auditing is enabled, an audit entry MUST be logged each time the exercise of a user right fails because the user account is not assigned to the user right.

AuditProcessTracking

A security setting that determines whether the operating system MUST audit process-related events such as process creation, process termination, handle duplication, and indirect object access. If this policy setting is defined, the administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged each time the operating system performs one of these process-related activities. If Failure auditing is enabled, an audit entry MAY be logged each time the operating system fails to perform one of these process-related activities.<5>

AuditSystemEvents

A security setting that determines whether the operating system MUST audit any of the following events:

  • Attempted system time change.

  • Attempted security system startup or shutdown.

  • Attempt to load extensible authentication components.

  • Loss of audited events due to auditing system failure.

  • Security log size exceeding a configurable warning threshold level.

If this policy setting is defined, the administrator can specify to audit only successes, only failures, both successes and failures, or to not audit these events at all (that is, neither successes nor failures). If Success auditing is enabled, an audit entry MUST be logged each time the operating system performs one of these activities successfully. If Failure auditing is enabled, an audit entry MUST be logged each time the operating system attempts and fails to perform one of these activities.

The following table provides a summary of the valid values.  For more details on valid values see [MS-LSAD] section 2.2.4.4.

Setting value

Explanation

0

Indicates that this setting is set to None.

1

Indicates that this setting is set to Success Audits Only.

2

Indicates that this setting is set to Failure Audits Only.

3

Indicates that this setting is set to Success and Failure Audits.

4

Indicates that this setting is set to None.