Re: Event Viewer and Security View

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 05/21/02

Next message: Eric Fitzgerald [MS]: "Re: auditing question - single file object access creates duplicate security log messages"
Previous message: Eric Fitzgerald [MS]: "Re: Event ID 565"
In reply to: Fritz: "Event Viewer and Security View"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Tue, 21 May 2002 11:35:52 -0700

Can you be more specific? Are you saying that you applied a SACL to a
single file to only monitor the use of the "Traverse folders" permission for
some group of users? And now you're seeing multiple object access events
for that file?

My first thought is that that is not really a meaningful permission to
audit. What behavior are you trying to monitor?

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
"Fritz" <pjfritzler@earthlink.net> wrote in message
news:4ec501c20078$82627000$9ee62ecf@tkmsftngxa05...
> Is there any way when I am auditing object access (success
> and failure) that I can limit what part of the event is
> actually logged?
>
> The problem I have is that when I configure a single event
> to audit such as "traverse", every single handle event is
> logged.  This will generate 6 separate events per
> instance, all but two of them basically useless.
>
> Yes, I know that I can filter the events that I actually
> view, but this just causes a long delay when I open the
> view itself.  In addition, these "handle" events just load
> up the log and consume disk space for no reason.
>
> HELP!
>
> Thanks in advance,
>
> Fritz
>

Next message: Eric Fitzgerald [MS]: "Re: auditing question - single file object access creates duplicate security log messages"
Previous message: Eric Fitzgerald [MS]: "Re: Event ID 565"
In reply to: Fritz: "Event Viewer and Security View"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Lessons lrnd was Re: Thrs a warONnn was Re: Cinema was Re: AlwysBeClsing was Re: Style was Re: Enter
... And as far as it turning humanity into batteries in the matrix, well if you know me, and know that I am an alien, and not just pretending to be an alien for the sake of discussion, then you might expect that I need permission before I let Goser loose on the world and I got that permission. ... But we don't need to be so paranoid, that only one company has the screens, so that they can have secret controls to monitor and shape ... Some philosophers in the past take their idea and make it into a philosophy and then apply that to the entire world. ... What kind of happy place for a learned man would not have a shelf of books? ...
(sci.physics)
Re: Permission change monitor
... Enable Object Access Success Audit Policy ... Eric Fitzgerald ... > be able to monitor ... but none of them show permission changes (ie. ...
(microsoft.public.security)
Re: execute-only permission
... I need to let "other people" access a single file in read-only mode. ... Your find command sets the permission for other users to be the same for every directory in my_base_directory, so they might be able to read other files if they can guess the names. ...
(comp.unix.shell)
Re: rm -rf *.orig not working
... parent directory's permission - you have to have a -w- permission on the ... to a single file in different directories on a single filesystem ... user has write perm on the directory in which the files live. ... Can't find a user file ...
(alt.os.linux)
Re: ]# chmod - operation not permitted
... > permission for that single file? ... permissions per file in Windows 95/98. ... Linux is good but it can't make up for every limitation of that ...
(RedHat)