Re: Trying to AUDIT file creation failure


"Peter Weaver" <info-vax@xxxxxxxxxxxxxxxxxxx> wrote in message
news:0ce95aa6-e8f0-48e0-9ba9-c21aed91f231@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jun 5, 3:29 pm, "Syltrem" <syltremz...@xxxxxxxxxxxx> wrote:
"Peter Weaver" <info-...@xxxxxxxxxxxxxxxxxxx> wrote in message
...
Audit will only work if it is a privilege issue. If the disk is full for
example, audit will not trigger.

My initial question was related to the fact that CREATE is not present
here:

FILE access:
Failure: read,write,execute,delete,control

And I don't think we can get CREATE in there either.

Thanks

Syltrem

Not that it matters since you already have your answer,
but just for
future reference...

You are right that you can not get

FILE access:
Failure: read,write,execute,delete,control,create

because that is not allowed, the HELP even tells you > > "Create access.
To audit create events for files, use the CREATE
keyword." So you have
to specify;

set audit/audit/enable=(create,access=(failure))/class=file

and that gives you;

FILE access:
Failure: read,write,execute,delete,control
Other: create

This will log an event if the device is full. But in my tests it > does
not tell you which device is full or even the filename that > > you are
trying to create. :(

Peter

Thanks Peter for trying that.

I also tried this with no luck:

$ set audit/audit/enable=(create,access=(failure))/class=file
%%%%%%%%%%% OPCOM 10-JUN-2009 14:39:44.99 %%%%%%%%%%%
Message from user AUDIT$SERVER on PHOBOS
Security alarm (SECURITY) and security audit (SECURITY) on PHOBOS, system
id: 1052
Auditable event: Security audit state set
Event time: 10-JUN-2009 14:39:44.99
PID: 2397B804
Username: TREMBLAY
Object class name: FILE
Auditing flags: FAILURE: (READ,WRITE,EXECUTE,DELETE,CONTROL)
OTHER: (CREATE)

$ cr a;;;
%CREATE-E-OPENOUT, error opening A;;; as output
-RMS-F-SYN, file specification syntax error

$ create [aaa]f.lis
%CREATE-E-OPENOUT, error opening DGSI_A1:[AAA]F.LIS; as output
-RMS-E-DNF, directory not found
-SYSTEM-W-NOSUCHFILE, no such file

Nothing from opcom comes up

But again, these do not give the ACP error.
I can't remember what will cause "%RMS-E-CRE, ACP file create failed" from
being reported by a DCL command.

Syltrem



.

Relevant Pages

  • Re: Security audit failures - any idea why?
    ... > Some of my customers with SBS2k have these security audit failures in the ... Many have audit success msgs, but some have failures as per ... > Event Type: Success Audit ... > Event Type: Failure Audit ...
    (microsoft.public.windows.server.sbs)
  • Security audit failures - any idea why?
    ... Some of my customers with SBS2k have these security audit failures in the ... Event Type: Success Audit ... Event Type: Failure Audit ...
    (microsoft.public.windows.server.sbs)
  • Re: evnet id 560
    ... If you audit success and failure ... >> every few seconds i get a failure audit in the security ...
    (microsoft.public.win2000.security)
  • RE: syslog
    ... For the same kind of environment, I am using Computer Associates eTrust ... Audit integrated with Security command center for an easy event management ... and consolidation of logs + administration of all the Security ...
    (Security-Basics)
  • RE: Blue Team ROE
    ... These types of constraints are a way to create the illusion of due ... diligence in that they are having an outside company perform a security ... the audit by client constraints. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)