Auditing

  • Article

The goal of auditing is to generate entries in the security log for successful or failed attempts to access an object. AccessCheckAndAuditAlarm cannot determine whether an attempted access succeeds or fails until it completes an access check, so access-checking takes place first. After the access check is complete, the function determines what needs to be logged by considering the following information:

  • The subject's access token

  • The desired access mask presented by the subject

  • The granted access mask resulting from the access check

  • The object's SACL

Audit-checking is much simpler than access-checking. Only a fraction of the total number of access requests requires an entry in the security log—only those requests that you want to monitor. Security logs become unusable when they contain too much information, so you quickly learn to be judicious when setting audit controls. As a result, SACLs generally have fewer ACEs than DACLs.

AccessCheckAndAuditAlarm uses the following rules to evaluate ACEs in an object's SACL:

  1. If an ACE's inheritance flags are marked INHERIT_ONLY, the ACE is skipped.

  2. If the SID in an ACE does not match any SID in the subject's access token, the ACE is skipped.

  3. If a bit is turned on in the ACE's access mask but the corresponding bit is not turned on in the desired access mask, the ACE is skipped. The only relevant ACEs are those that match rights that the subject has requested.

  4. If an ACE's audit flags contain SUCCESSFUL_ACCESS_ACE_FLAG, the ACE's access mask is compared with the granted access mask. If a bit is turned on in the ACE's access mask and the same bit is turned on in the granted access mask, a successful access event is recorded in the security log.

  5. If an ACE's audit flags contain FAILED_ACCESS_ACE_FLAG, the ACE's access mask is compared with the granted access mask. If a bit is turned on in the ACE's access mask and the same bit is turned off in the granted access mask, a failed access event is recorded in the security log.

  6. When the process reaches the end of the SACL, audit-checking stops.