Home > IT Answers > Security > Files and directory access loging
Help

Question

  Asked: Jun 28 2005   12:51 AM GMT
  Asked by: zbanoon

Files and directory access loging


Auditing, Vulnerability Assessment & Audit, IT auditing software

one of my clients is asking about a daily report contains all files and directories accessed every day and who is accessing it (time and mode:delete ,read ,write.) on a spicific share.
so i tried using a script to filter out all events regarding files access but that looks time consuming method .
so please if any one have a better idea or a software name.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Jun 28 2005  5:23 PM GMT  by sonyfreek




I suggest you get another job, considering that this guy is crazy. You're going to spend your lifetime having him micromanage your processes running every second of the servers lifetime.

File audits work best for few files, not the entire file system. Your logs are going to be so full and it's going to be absolutely useless to anyone because no one will have time to read it/parse it.

If you do get him convinced that to lighten up on his requirement and focus on the important directories such as the financial records of the company and proprietary information, a package like GFI's LanGuard SELM will audit the server and workstations logs for accesses not only for file access, but also the entire Event Log, if desired. You will have to manually set up some rules for the types of events you are looking for, but that's easy once you have a reasonable goal in mind. I don't know file access Events off the top of my head, but it's easy enough to figure out.

Good luck,

SF
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

ItDefPat1  |   Jun 28 2005  5:53PM GMT

Yes, auditing every event is a big load (pun also intended). Mainframes could do all that, but it is not at all common on any distributed platform (like windows, or generic unix). Mostly, you would have to have that kind of function built into the APPLICATION. The closest to that would be to build folder rights so that only a specific application could access the files there (users get no direct access to data). Not easy, unless using a DB or ERP system.

If the application doesnt (or you aren’t building the app) do enough audit, authentication and authorization, then you would have to do a proxy scenario (the proxy might do it). But to get off the shelf proxy means mostly only http apps (or build the proxy for the app - again, not pretty).

Maybe you want to control access to the share. Would putting the server on an isolated network segment work. That would provide protection, authentication and alerting.

This is all very complex, tricky and time consuming. Yuck.

Like the other guy said, the boss is asking for way more than what can be managed. This doesn’t even take into account all the manpower to review all those logs (windows sys logs. After all, you just want to know about violations, not that people are opening files all day long, right? Yikes.

And is there a policy to mandate this type of review?
Is there a process to manage (and staff to support).

Maybe what you want is strong authentication? Through in some crypto on the files; this might be a PKI. The firewall isolation noted above, with strong authentication is probably the easiest and provides a good return on ivestment, low maintenance and management efforts, decent reporting and alerting.

IT Defense

 

nalluk  |   Jul 20 2005  4:26PM GMT

We do generate a daily report containing all files and directories accessed every day by resources and users on any given server in multiple Domains. Try using EventTracker Enterprise Eventlog Management software from Prism Microsystems, Inc. Not only it does what you need it also does SOX, GLBA and HIPPA Compliance reports.