The Auditor determines which events can be audited. Starting in Release 8.0, there are default settings for which events are monitored by the Auditor.
The AMT_AuditPolicyRule.SetAuditPolicy method enables or disables the monitoring of a single event type. The AMT_AuditPolicyRule.SetAuditPolicyBulk method (added in Release 7.0) enables or disables the monitoring of multiple event types.
Individual events can be flagged for greater monitoring at two levels: critical and super_critical.
Critical events
Any event type can be marked as “critical”, meaning that if the event fails to be logged for any reason (e.g., the audit log is full or locked or due to a flash wear-out event) the event will be prevented from occurring, since it cannot be logged. It is possible to configure the audit log policy before enabling the audit log itself.
Super_critical events
Beginning in Release 12.0, certain event types are defined as “super_critical”. These events are:
• Unprovisioning
• Opening of an SOL, Storage, or KVM redirection session
• Setting boot options for remote control operations
• Transition to post-provisioning mode when Intel AMT provisioning is complete
Super_critical events have the following properties:
• They are always logged regardless of the current logging policies, and even if the Audit Log is disabled.
• The last 5 super_critical events are kept in the log even if the log rolls over or is cleared.
• If the audit log is locked or full, the operation will fail. The only exception is unprovisioning when the audit log is full and rollover is disabled; in this case, rollover will be enabled and the unprovisioning will be executed and logged.
For backwards compatibility purposes, AMT_AuditPolicyRule.PolicyType will return “CRITICAL” for these events instead of defining a new PolicyType.
General information
Some actions may be logged and yet not be completed due to a defined limitation (e.g., attempting to delete a resource while it is still in use). This has been indicated on some of these events as “attempting” to perform the action.
The events are divided into functional groups, and each group has an application ID. Each event type within a functional group has an event ID. An event is uniquely identified by the Event Group (Application ID) and the Event ID.
For detailed descriptions of the events, including parameters and what triggers adding the event to the audit log, refer to the event groups described in the following table. The table also identifies the events that are automatically enabled starting in Release 8.0.
|
Application ID |
Event Group |
8.0 Default Setting |
|
16 |
ALL except Flash Wear-Out Counters Reset (ID=15) and Power Package Modified (ID=16) events | |
|
17 |
ALL | |
|
18 |
ALL | |
|
19 |
ALL | |
|
20 |
ALL | |
|
21 |
ALL | |
|
22 |
NONE | |
|
23 |
NONE | |
|
24 |
NONE | |
|
25 |
NONE | |
|
26 |
NONE | |
|
27 |
NONE except Wireless profile modified (ID=3) and Wireless link preference changed (ID=4) events. | |
|
28 |
NONE | |
|
29 |
ALL | |
|
30 |
ALL | |
|
31 |
Reserved |
NONE |
|
32 |
NONE 0 = start screen blanking 1= stop screen blanking | |
|
33 |
Watchdog Events (Implemented in Intel AMT Version 11.0) |
NONE
|
|
Copyright © 2006-2022, Intel Corporation. All rights reserved. |