Computer systems may implement security policies to protect their information and service resources from unauthorized accesses. Such systems may audit, for example, directory and file accesses or server events and record such events in security logs. The logs may be reviewed to help flag security breaches. Users of such systems may configure the security audits to track certain events and may decide to forego tracking other events.
Security policies may be divided into groups, and each group is hereinafter referred to as a “category.” Each category of security policies includes individual audit events. For example, one category of security policies may be an object access audit category. The object access audit category may include individual security audits of accesses to, for example, the file system, the registry, and the kernel objects. In such a system, if a user wants the results of an individual audit event, then the computer system may be directed to perform an audit of an entire category, resulting in an audit of each security event in the category. For example, if a user would like to audit accesses to the file system, then the user instigates an audit of the object access category and obtains results of accesses to the file system as well as to the registry and the kernel.
Such a system prevents users from exercising a fine degree of control over security audits. That is, users may be unable to instigate a security audit of only the file system even though they may be uninterested in the results of the security audit of the registry or kernel accesses. This extraneous noise in the form of undesired security audits of the registry and kernel accesses unnecessarily consumes system resources and inhibits optimal system performance.