SERVICE_AUDIT

This policy item checks if the service ACL is correct. The check is performed by calling the function QueryServiceObjectSecurity on the service handle.

Usage

<custom_item>

type: SERVICE_AUDIT

description: ["description"]

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

service: ["servicename"]

(optional) acl_option: [acl_option]

</custom_item>

The allowed type is:

value_type: SERVICE_ACL

value_data: "ACLname"

service: "ServiceName"

When using this audit type, please note the following:

The value_data field is the name of the ACL defined in the policy file.
The acl_option field can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.
The acl_allow and acl_deny fields correspond to “Successful” and “Failed” audit events.

Example

Here is an example .audit file for auditing the “Alerter” service:

<custom_item>

type: SERVICE_AUDIT

description: "Audit for Alerter Service"

value_type: SERVICE_ACL

value_data: "ACL3"

service: "Alerter"

</custom_item>