Community maintenance is complete. Thank you for your patience!

ONTAP Discussions

Auditing, Object Open for Delete and Object Access Attempt

mangiari

Hi, I'd like to have some additional information about events I sometimes gather while auditing CIFS shares.

 

The first one is EventID 563, Object Open for Delete: NetApp Library (https://library.netapp.com/ecmdocs/ECMP1196993/html/GUID-1BC2FAB0-A641-4D16-A4A0-44871F560509.html) says this is a Logon/Logoff event, but I think this is not true.

 

Se second is EventID 567, Object Access Attempt. I've notice I gather this every 32KB of data readed, can anyone confirm this? Also, this events has more information than what expected from MS documentation: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&EvtID=567&Evtsrc=Security. Othen than the "standard" fields, I have also the file name and additional information about who did it. Where can I found more documentation about this? Are there any other "non standard" events?

 

Thanks

 

 

2 REPLIES 2

AdvUniMD

The first Event (ID 563) happens when a file is opened with FILE_DELETE_ON_CLOSE which is usually used for temporary files. Netapp will automatically delete that file when the last open file handle to it has been closed. Note that you (or rather a program) can also use that flag to force deletion of a file that is currently in use by another program (it still needs the delete-permission to the file itself of course, you cannot delete random files that way Smiley Very Happy )

See for example here or here

 

The second event was introduced with Windows Server 2003 (I think) and is thus not really a "non-standard" event. See here or here for a few details

mangiari

First of all, thank you.

 

Actually, eventID 563 seems to happens even when deleting normal files, not just temporarly. I've installed a netapp simultator and created some shares, and when I try to delete something are always triggered:

  • Object Open with DELETE access on <filename>
  • Handle closed

Then, if I press "I'm sure to delete" in explorer.exe:

  • Object Open with DELETE accesses on <filename>
  • Handle closed
  • Object Access Attempt with DELETE and DELETE_CHILD accesses, on <filename>.

Can I safely assume there isn't a delete until I found the last event? Online documentation does not state anything about...

I'm looking for something that avoids me the need of empirically find out "real" action. But again, i found no clear documentation at all.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public