Audit Kernel Object
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.
Event volume: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
Events List: