Audit Kernel Object

Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.

Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.

Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.

Event volume: High.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	No	No	No	No	Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.
Member Server	No	No	No	No	Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.
Workstation	No	No	No	No	Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.

Events List:

4656(S, F): A handle to an object was requested.
4658(S): The handle to an object was closed.
4660(S): An object was deleted.
4663(S): An attempt was made to access an object.