The functions in the Audit Policy category retrieve information on audit policy settings and set audit policy parameters.
The functions in the Audit Policy category are as follows:
|
Function |
Description |
|
Retrieves information about the audit policy settings on a server. |
|
|
Sets the audit policy parameters on a server. |
Advanced Server can track selected activities of users, by auditing security events and then placing entries in a server’s security log. Use Audit Policy API functions to query and set the types of security events that Advanced Server will log.
When administering domains, the Audit Policy affects the security logs of all servers in the domain because they share the same Audit policy. When administering a Windows NT Workstation computer or a Windows NT Server computer that is not a primary domain controller, this policy affects only the security log of that computer.
NetAuditPolicyGetInfo and NetAuditPolicySetInfo can be used for retrieving and changing Audit Policy settings for each of the predefined security events and for disabling and enabling auditing on the servers in the domain in general.
The level control parameter controls the levels of information that are provided to or returned from the NetAuditPolicyGetInfo and NetAuditPolicySetInfo functions. These functions use level 1 data structure only.
The AUDIT_POLICY_INFO_1 data structure has the following format:
typedef struct _AUDIT_POLICY_INFO_1 {
BOOLEAN AuditingMode;
ULONG *AuditingOptions;
ULONG MaxEventCount;
} AUDIT_POLICY_INFO_1, *PAUDIT_POLICY_INFO_1;
Within this structure, the parameters are defined as follows:
AuditingMode specifies whether auditing on the server is enabled or disabled.
AuditingOptions points to an array of auditing options set for predefined security events.
This array is indexed by AUDIT_POLICY_EVENT_TYPE enumeration, and each entry contains the auditing options set for a corresponding auditing event (see the tables of AuditPolicy Event types and auditing options below).
MaxEventCount specifies number of entries in AuditingOptions array.
AuditPolicy Event types are defined in the unixapi.h file as follows:
|
Manifest |
Value |
Meaning |
|
AuditPolicyEventSystem |
0x00 |
Restart or shutdown of the computer; or an event which affected system security or the security log. |
|
AuditPolicyEventLogon |
0x01 |
A user logged on or off or made a network connection. |
|
AuditPolicyEvent\ ObjectAccess |
0x02 |
A user accessed a resource which is set for auditing. |
|
AuditPolicyEvent\ PrivilegeUse |
0x03 |
A user exercised a user right (except those rights related to logon and logoff). |
|
AuditPolicyEvent\ DetailedTracking |
0x04 |
These events provide detailed tracking information for such events as program activation, some forms of handle duplication, indirect object access and process exit. |
|
AuditPolcyEvent\ PolicyChange |
0x05 |
A change was made to User Rights, Audit, or Trust Relationships policy. |
|
AuditPolicyEvent\ AccountManagement |
0x06 |
A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed. |
|
AuditPolicyEventLast |
Always the last event in the audit event’s list. |
The possible auditing settings for each of the security events are defined in the unixapi.h file as follows:
|
Manifest |
Bit Mask |
Meaning |
|
AUDIT_POLICY_EVENT_ UNCHANGED |
0x0000 |
The auditing settings of the events of this type are left unchanged. |
|
AUDIT_POLICY_EVENT_ SUCCESS |
0x0001 |
Audit successful events of this type. |
|
AUDIT_POLICY_EVENT_ FAILURE |
0x0002 |
Audit failed events of this type. |
|
AUDIT_POLICY_EVENT_ NONE |
0x0004 |
Do not audit events of this type. |