AUDIT_POLICY
This policy item checks for the values defined in “Security Settings -> Local Policies -> Audit Policy”.
The check is performed by calling the function LsaQueryInformationPolicy with the level
PolicyAuditEventsInformation.
Usage
<custom_item>
type: AUDIT_POLICY
description: ["description"]
value_type: [VALUE_TYPE]
value_data: [value]
(optional) check_type: [value]
audit_policy: [PASSWORD_POLICY_TYPE]
</custom_item>
This item uses the audit_policy field to describe which element of the password policy must be audited. The allowed types are:
- AUDIT_ACCOUNT_LOGON (“Audit account logon events”)
- AUDIT_ACCOUNT_MANAGER (“Audit account management”)
- AUDIT_DIRECTORY_SERVICE_ACCESS (“Audit directory service access”)
- AUDIT_LOGON (“Audit logon events”)
- AUDIT_OBJECT_ACCESS (“Audit object access”)
- AUDIT_POLICY_CHANGE (“Audit policy change”)
- AUDIT_PRIVILEGE_USE (“Audit privilege use”)
- AUDIT_DETAILED_TRACKING (“Audit process tracking”)
- AUDIT_SYSTEM (“Audit system events”)
value_type: AUDIT_SET
value_data: "No auditing", "Success", "Failure", "Success, Failure"
Note: There is a required space in “Success, Failure”.
Example
<custom_item>
type: AUDIT_POLICY
description: "Audit policy change"
value_type: AUDIT_SET
value_data: "Failure"
audit_policy: AUDIT_POLICY_CHANGE
</custom_item>