Security Auditing

The SDK service supports success and failure auditing for every method invoked on the service. For the most part, the event only includes the SDK operation (e.g. UserRole__Get), the user we validated against that operations, the actual SDK service method requesting the access check and the session id of the SDK client that this access check was performned for. Enabling auditing is straight forward as it leverages the object level auditing mechanism built in Windows 2003 Server:

  1. Open Local Security Policy, found under Administrative Tools
  2. Expand Local Policies and select Audit Policy
  3. Select "Audit object access"
  4. Right-click and Properties
  5. Enable "Success" and/or "Failure", depending on what you want to audit

Shortly, all SDK methods should be audited to the security event long.

Aside from the information mentioned above, we do audit more information for some operations.

For tasks, we audit: JobId, TaskId, TargetObjectId, whether the task requires encryption, every override and value applied (if any) and username and domain if an alternate account was provided for execution.

For ManagementPack change failures, including imports, updates and deletes, for security related failures we audit which management failed to be changedand what element triggered the failure. This can occur for users in an Author or Advanced Operator profile that try to perform management pack operations outside their class scope.

Finally, we audit additional information for user role related changes.

Comments