Questions tagged [audit]

Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system

325 questions
2
votes
2 answers

how to remove file auditing rules via Powershell?

here's a script to turn on an audit rule: $path = 'C:\...\*' $ACL = new-object System.Security.AccessControl.FileSecurity $AccessRule = new-object…
Jordan W.
  • 1,423
  • 1
  • 13
  • 20
2
votes
2 answers

Determine when a Domain Controller was promoted

On Windows Server 2003 standard is there a way to determine when a domain controller was promoted? This is for an Active Directory 2000 functional domain. The event logs don't go back far enough.
PaulWaldman
  • 508
  • 5
  • 14
2
votes
1 answer

Windows 2008 Audit - Acess Request Information

I'm auditing some folders in a Windows 2008 R2 server and I have a "Success Audit" entry in the Security Event Log with the following "Access Request Information": Access Request Information: Accesses: %%1537 …
Norba
  • 57
  • 4
  • 11
2
votes
5 answers

Export a list of installed features on a Windows 2008 server

I have been asked to specify the features which are installed on a production web server so a replica test environment can be created. I could point and click my way to the solution but I am curious as to how this could be done through a script.…
Keith Bloom
  • 257
  • 2
  • 4
  • 10
2
votes
2 answers

Best practice ACLs to prepare for auditors?

An auditor will be visiting our office soon, and they will require read-only access to our data. I have already created a domain user account and placed them into a group called "Auditors". We have a single fileserver (Windows Server 2008) with…
Nic
  • 13,425
  • 17
  • 61
  • 104
2
votes
3 answers

Tools to monitor users activity on Linux/Unix servers

Is there any specific open source tool which can be used to monitor what users are doing on linux system. I have multiple servers and with access to some users on them. I want to monitor which user ran which commands at what time. I want it to be…
Ramesh Kumar
  • 1,770
  • 5
  • 19
  • 29
2
votes
2 answers

Tracking who installed Software on server

Am I correct, that if a program is installed on a Server and shows up in the 'Add Remove/Program programs', then it must have been installed when a user has logged onto the server either at the physical console, or using RDP and not when a user has…
sgmoore
  • 652
  • 5
  • 10
2
votes
1 answer

Tracking which computer printed a document on Windows 2003 domain

Currently, when a user prints a document there is an Event ID 10 recorded in our event log. We have mostly XP Clients on a Win2003 domian. However, I cannot tell which computer this user printed a document from. How can I track which computer a user…
testguy
2
votes
2 answers

See what time a user logged into a windows box

From a Windows XP command line, how do I get the time I logged into and/or out of the current machine? I'm looking for something like the UNIX last command which lists active and previous login sessions. Thanks, John
John in MD
  • 221
  • 2
  • 9
2
votes
3 answers

How to read the transaction log for SQL Server 2008

I'd like to know whether there is any way of browsing/searching the SQL Server transaction logs (any version). We've previously used tools such as Lumigent Log Explorer against SQL Server 2000 which fulfilled our need, but the product no longer…
MartW
  • 1,305
  • 10
  • 15
2
votes
1 answer

"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)

On one of the machines running Centos i.e. cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) i found something strange by the command aureport -x --summary aureport -x --summary Executable Summary…
Tito
  • 143
  • 1
  • 8
2
votes
4 answers

Checking the configuration of two systems to determine changes

We are standing up a replicant data center at work and need to ensure that the new data center is configured (nearly) identically to the original. The new data center will be differently addressed and named than the original and will have differing…
None
2
votes
1 answer

CentOS doesn't boot with "A stop job is running for Security Auditing Service" message

CentOS prints the following during boot [ *** ] A stop job is running for Security Auditing Service (9s / 1min 30s) and then switches into the single user mode.
McLayn
  • 61
  • 1
  • 7
2
votes
1 answer

Linux audit files(data=)

type=TTY msg=audit(08/12/2020 02:33:30.163:107) : tty pid=2709 uid=e4ws5 auid=root ses=1 major=4 minor=1 comm=sh data="/bin/bash -i", Can anyone tell me how in this audit.log there is a field name called data= which contains the commands that…
Vexer
  • 23
  • 2
2
votes
1 answer

Comparing two Linux servers for any differences

I tried to find a similar post, but couldn't. Apologies if this is a duplicate. We have a number of RHEL6 servers hosting different applications. Over time, these servers have had some tweaks to system parameters such as tcp_fin_timeout,…