Subscribe

Auditing, Object Open for Delete and Object Access Attempt

Hi, I'd like to have some additional information about events I sometimes gather while auditing CIFS shares.

 

The first one is EventID 563, Object Open for Delete: NetApp Library (https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-1BC2FAB0-A641-4D16-A4A0-44871F560509.html) says this is a Logon/Logoff event, but I think this is not true.

 

Se second is EventID 567, Object Access Attempt. I've notice I gather this every 32KB of data readed, can anyone confirm this? Also, this events has more information than what expected from MS documentation: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&EvtID=567&Evtsrc=Security. Othen than the "standard" fields, I have also the file name and additional information about who did it. Where can I found more documentation about this? Are there any other "non standard" events?

 

Thanks

 

 

Re: Auditing, Object Open for Delete and Object Access Attempt

The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way Smiley Very Happy )

See for example here or here

 

The second event was introduced with Windows Server 2003 (I think) and is thus not really a "non-standard" event. See here or here for a few details

Re: Auditing, Object Open for Delete and Object Access Attempt

First of all, thank you.

 

Actually, eventID 563 seems to happens even when deleting normal files, not just temporarly. I've installed a netapp simultator and created some shares, and when I try to delete something are always triggered:

  • Object Open with DELETE access on <filename>
  • Handle closed

Then, if I press "I'm sure to delete" in explorer.exe:

  • Object Open with DELETE accesses on <filename>
  • Handle closed
  • Object Access Attempt with DELETE and DELETE_CHILD accesses, on <filename>.

Can I safely assume there isn't a delete until I found the last event? Online documentation does not state anything about...

I'm looking for something that avoids me the need of empirically find out "real" action. But again, i found no clear documentation at all.