9 SECURITY AUDITING

Intertwined with the access check process is the auditing process. An administrator can configure the system’s auditing mechanism to generate a log of accessed resources. Each log event will include details about the user and application that opened the resource and whether the access succeeded or failed. This information can help us identify incorrect security settings or detect malicious access to sensitive resources.

In this short chapter, we’ll first discuss where the resource access log gets stored once the kernel generates it. We’ll then describe how a system administrator can configure the audit mechanism. Finally, ...

Get Windows Security Internals now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.