:py:mod:`dissect.target.plugins.os.windows.regf.auditpol`
=========================================================

.. py:module:: dissect.target.plugins.os.windows.regf.auditpol




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.auditpol.AuditpolPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.auditpol.adtev_def
   dissect.target.plugins.os.windows.regf.auditpol.c_adtev
   dissect.target.plugins.os.windows.regf.auditpol.POLICY_CATEGORIES
   dissect.target.plugins.os.windows.regf.auditpol.POLICY_MAP
   dissect.target.plugins.os.windows.regf.auditpol.POLICY_VALUES
   dissect.target.plugins.os.windows.regf.auditpol.AuditPolicyRecord


.. py:data:: adtev_def
   :value: Multiline-String

   .. raw:: html

      <details><summary>Show Value</summary>

   .. code-block:: python

      """
      struct header {
          uint16  unk0;
          uint16  unk1;
          uint16  num_categories;
          uint16  unk2;
          uint16  footer_offset;
          uint16  unk3;
      };
      """

   .. raw:: html

      </details>



.. py:data:: c_adtev

.. py:data:: POLICY_CATEGORIES
   :value: ['System', 'Logon/Logoff', 'Object Access', 'Privilege Use', 'Detailed Tracking', 'Policy...


.. py:data:: POLICY_MAP

.. py:data:: POLICY_VALUES

.. py:data:: AuditPolicyRecord

.. py:class:: AuditpolPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Plugin that parses audit policy settings from the registry.


   .. py:attribute:: KEY
      :value: 'HKLM\\SECURITY\\Policy\\PolAdtEv'



   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: auditpol() -> collections.abc.Iterator[AuditPolicyRecord]

      Return audit policy settings from the registry.

      For Windows, the audit policy settings are stored in the HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv registry
      key. It shows for each possible audit event if it is logged.

      .. rubric:: References

      - https://countuponsecurity.com/tag/poladtev/