From: Christopher Kish (kishme_at_integic.com)
Date: Wed, 8 Oct 2003 11:32:53 -0700
I am looking at using AZMan (authorization manager) for
application security. I have a requirement to audit
changes made to the security store such that an auditor
can view the user who changed the store and what was
changed. I also must provide the application in an
environment that may not have Windows 2003 Active
Directory capabilities. I chose to test AZman using an
XML data store. I've followed the instructions in the
help file regarding enabling auditing, by doing the
1: Create a security store (in my case c:\test.xml)
2: Enable object auditing in security policy (I have
local success and fail turned on for object access)
3: Allow use of "Generate Security Audits" and "Manage
Auditing and Security Log" system privileges (assigned to
Administrators group - I am logged in as an administrator)
4: Check "Runtime application initialization auditing"
and "Runtime client context and access check auditing"
checkboxes (both are checked).
I have been unable to get any meaningful audits out of
the authorization manager. I see events indicating that
I accessed the file using the mmc process, but there is
no information about what exactly was changed. Is this
normal and what is considered auditing? If so, it
doesn't give auditors a very good view into what was done
to the authorization store. If this is not normal, what
else should I check?