Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [audit]

Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system

325 questions
1
vote
0 answers

Windows Server File auditing Filtering for true file opens

In auditing for Event ID 4663 in the security log of a Windows File server for users opening files and I'm finding that there seems to be in my opinion some false positives. I have a Windows Server 2008 R2 server acting as a File Server that has a…
displayNameGoesHere
  • 45
  • 5
1
vote
1 answer

Auditing NTLM authentication on Domain Controllers: which GPO?

We are wanting to turn on NTLM authentication auditing to gather further details on some clients trying to authenticate using NTLM to the domain/DCs. Specifically we want to enable: Network security: Restrict NTLM: Audit NTLM authentication in…
TheCleaner
  • 32,627
  • 26
  • 132
  • 191
1
vote
5 answers

One computer per network jack

I want to have a setup in which once i configure a single MAC address for a network jack only that computer may be connected to it. Also, i want to make sure that there is no way a person may get a router's mac address registered and hook up…
Ankur Chauhan
  • 23
  • 2
1
vote
1 answer

GDPR - Server access logging at the point of authentication

In the UK are are undergoing a large reform of data protection policy known as GDPR. For one client we need to beef up our auditing on access to certain servers by our support and development team. I want to know not only who logged in to a servers…
Damo
  • 415
  • 3
  • 7
  • 17
1
vote
1 answer

Local PC Event Viewer not logging account creation/deletion

I have a GPO that is setting audit account management success/failure on a windows 7 workstation. RSOP User Acc is created Any idea what could be causing this issue with logging events?
Kenta
  • 121
  • 4
1
vote
1 answer

How to monitor success or failure of attempts to modify security settings or permissions in AWS?

In AWS console, I can assign an IAM user to a group whose permissions is defined by associated policies. The credential report in IAM seems to only report some basic attributes of IAM each user and its last login time (inferred from various fields…
Anthony Kong
  • 3,288
  • 11
  • 57
  • 96
1
vote
2 answers

Windows file / folder Auditing not working if member of AD domain

I need to implement file / folder auditing for Windows 7-10 workstations so that all access by members of Domain Admins (read, write/modify, create, delete) is logged. I have enabled "Audit object access" in the group policy and it is in effect…
Zek
  • 568
  • 3
  • 10
  • 24
1
vote
0 answers

Sending audit logs with rsyslog from CentOS to auditdistd on FreeBSD

I am trying to send audit trails from rsyslog running on CentOS to auditdistd on FreeBSD using TLS. auditdistd can be both sender and receiver. I would like to trick auditdistd into thinking that rsyslog is auditdistd running on a different…
Mateusz Piotrowski
  • 168
  • 9
1
vote
1 answer

auditd - Getting only EXECVE in ausearch?

I'd like to use the auditd daemon to log whatever is run as or by root on our servers. To that effect, I added the following lines to /etc/audit/audit.rules: # Log all commands run as (or by) root -a exit,always -F arch=b64 -F euid=0 -S execve -k…
Alexander Skwar
  • 111
  • 3
1
vote
0 answers

How to set up NFS audit options using nfsadmin on Windows 2012 R2

Hi guys I need set up two audit options using commandline on bunch of my NFS servers (Windows 2012 R2), like this: nfsadmin server config audit = +mount audit= +locking I pretty sure this is correct syntax, but nfsadmin commandline tool thinks…
Ilya Taskaev
  • 11
  • 2
1
vote
1 answer

Redirect to new log file selected event id - Manage the security event id 4624 and 4634 flooding

the security logs of the two domain controllers of my network are flooded by security events id 4624 and 4634 and to a lesser extent, 4672. Reading from the internet such a behavior is quite common, and not necessarily means an underlying issue /…
Diego A
  • 13
  • 3
1
vote
0 answers

How to record audit logs for only one specified file in FreeBSD?

On Red Hat Linux I can specify the file I want to record audit logs for with this command: auditctl -a exit,always -F path=/tmp/foo.txt -F perm=war I cannot figure out how to do a similar thing on FreeBSD. The only way I've found to record audit…
Mateusz Piotrowski
  • 168
  • 9
1
vote
1 answer

How to know which files to specify exclusions for the installers of whitelisted apps using hashes with a Windows GPO?

To specify in the software restriction GPO, the hashes of executable/script files that are allowed to execute during the installation of a program run from, for example %LOCALAPPDATA%\Temp, during installation; how does one figure out what programs…
leeand00
  • 4,869
  • 15
  • 69
  • 110
1
vote
0 answers

MariaDB audit log empty host

I'm running MariaDB 10.0.23 with the audit plugin logging CONNECT type. The audit log is showing a failed connect with error 1042. Does the host field not show the IP address when a host cannot be resolved? Any insight would be appreciated. Log…
greg
  • 129
  • 6
1
vote
2 answers

CLI security program via tail

I am looking for a cli (command line interface) program that would basically tail either 1 log or a set of logs in /var/log and on the fly output in a more friendly manner. Perl would be best but isn't a prerequisite.
Unfundednut
  • 372
  • 4
  • 17
1 2 3
21 22