服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何从重命名审计日志中确定新的文件名?
Intereting Posts
在Amazon EC2上显示在Windows上运行的网站时出现的问题 什么阻止启用ip_forwarded的服务器被攻击者用作路由器 cp从Linux到CIFS(windows)共享mount是很慢的 caching控制永久301redirectnginx Apache只loggingPHP生成的请求 无法连接到在亚马逊ec2机器上运行的SQL 未知的表引擎“InnoDB问题 禁用系统日志远程连接 如何在每个月的最后一天安排Cron工作 什么是我的日志中的HTTP COOK请求方法? Apache VirtualHost安装程序… 502错误的网关 你如何重置stream浪回到原来的状态? SQL服务器多对一的镜像 如何将我的dd-wrt路由器连接到另一个无线networking,并确保我的所有客户端只连接到dd-wrt? AWS EC2,Ubuntu:上游超时(110:连接超时),从上游读取响应标头

如何从重命名审计日志中确定新的文件名?

[Windows 2008 R2文件系统审核]

当我删除文件时,出现两个事件日志审计消息: 4663表示请求删除文件, 4660确认删除。 Thay可以通过属性Handlerjoin。

当我重命名文件时,出现两个事件日志审计消息: 4663这意味着请求删除文件和4663创build新文件(但只有文件夹path,没有文件名)

当我将文件从一个文件夹移动到另一个文件夹时,与重命名有相同的图片(因为移动实际上是重命名,确定)

当我创build一个新的文件,没有事件出现。

所以,问题:1.我缺less什么审计文件创build? 2.我缺less什么来审计文件重命名?

我的AuditPol.EXE导出(DACL和SACL): 

 Category/Subcategory Setting System Security System Extension Failure System Integrity Failure IPsec Driver Failure Other System Events Failure Security State Change Failure Logon/Logoff Logon Success and Failure Logoff Success and Failure Account Lockout Success and Failure IPsec Main Mode Success and Failure IPsec Quick Mode Success and Failure IPsec Extended Mode Success and Failure Special Logon Success and Failure Other Logon/Logoff Events Success and Failure Network Policy Server Success and Failure Object Access File System Success Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Privilege Use Sensitive Privilege Use Failure Non Sensitive Privilege Use Failure Other Privilege Use Events Failure Detailed Tracking Process Termination Failure DPAPI Activity Failure RPC Events Failure Process Creation Failure Policy Change Audit Policy Change Failure Authentication Policy Change Failure Authorization Policy Change Failure MPSSVC Rule-Level Policy Change Failure Filtering Platform Policy Change Failure Other Policy Change Events Failure Account Management User Account Management Failure Computer Account Management Failure Security Group Management Failure Distribution Group Management Failure Application Group Management Failure Other Account Management Events Failure DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success Account Logon Kerberos Service Ticket Operations Success and Failure Other Account Logon Events Success and Failure Kerberos Authentication Service Success and Failure Credential Validation Success and Failure Entry: 1 Resource Type: File User: CONTOSO\Domain Users Flags: Success Accesses: FILE_WRITE_DATA FILE_APPEND_DATA FILE_DELETE_CHILD DELETE The command was successfully executed.

`

这是一个复杂的答案。 当我收集相关的链接(这是由于在审计系统中难以可靠完成的原因¹)时,请尝试:

使用SysMon并closuresEventID 2 。

相关的未答复的问题 。

¹它们都归结为CreateFile()API的行为,它可以接收的不同参数,从何处,挂钩,体系结构以及消费者获得该消息后如何处理这些消息。 检测到所创build的文件时间的变化应该摆脱所有这一切。