Re: File Open/Close Auditing
From: William McIlroy (WilliamMcIlroy_at_discussions.microsoft.com)
Date: 08/03/05
- Previous message: rene_at_tunix.de: "InitializeSecurityContext() from a Windows Service..?"
- In reply to: Richard Ward: "Re: File Open/Close Auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Aug 2005 10:55:02 -0700
Apparently the design is, and I cannot be sure because I don't understand the
limited literature, concerned with permissions passed or failed in some
relevant Discrestionary Access Control List. Any potential user of a file
will be required to acquire permission before reading or writing and that
would be granted or not granted when the file is opened. This is
conceptually going around Robin Hood's Barn with respect to what I want which
is a log entry that tells me user X opened file Y at time Z. If he opened it
then I assume he got permission and I don't care how. A user requires no
permission to close a file and so I assume there is no log entry that tells
me user x closed file Y at time Z. Oh, by the way, I'd like to see some
indication as to what files are accessed most frequently and most recently so
I can remove the least used files from my computer. Any ideas about that?
-- William McIlroy "Richard Ward" wrote: > The auditing ACEs allow you to specify which account triggers the audit, > as well as what access. So, you can create an audit ACE that triggers > when user foo opens the file for read, but not write. You can generate > the audits that you want, but you will need some correlation to produce > the report that you want. I'm not sure by what you mean "every file > access..." If you have marked every file to be audited, you will get an > audit for each open and each close, with the access rights granted for > the open and which were used on the close. > > "William McIlroy" <WilliamMcIlroy@discussions.microsoft.com> wrote in > message news:BD331455-BBD0-471A-B61A-E0C1D4F40164@microsoft.com... > > The file/folder property page allows an administrator to mark files and > > folders for auditing. Exactly what events are recorded isn't clear from > > the > > user interface. What doesn't seem to occur is logging of only these > > events: > > when a file is opened, when a file is closed. Somehow what events get > > audited has become mixed up with file access permissions per DACR. Which > > files are audited is apparently only those that have been marked for > > auditing. If the administrator decides to mark the root directory and all > > its contents for auditing then we get (or do we?) to the situation where > > every file access (open, close, read, write, create, delete,...) is > > recorded > > in a log. > > > > I'd like to log only opens and closes, by whom, through what network > > connection (if any), and when for every file in all file systems. Is this > > possible? If so, how? > > -- > > William McIlroy > > > > >
- Previous message: rene_at_tunix.de: "InitializeSecurityContext() from a Windows Service..?"
- In reply to: Richard Ward: "Re: File Open/Close Auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
