[
Windows 2008 R2文件系统审核]
当我删除文件时,会出现两条事件日志审核消息:4663表示请求删除文件,4660表示确认删除. Thay可以通过属性Handler加入.
当我重命名文件时,4663表示创建新文件(但只有文件夹路径,没有文件名)
当我将文件从一个文件夹移动到另一个文件夹时,存在与重命名相同的图片(因为移动实际上是重命名,OK)
所以,问题:
1.审核文件创建时我缺少什么?
2.审核文件重命名时我缺少什么?
我的AuditPol.EXE导出(DACL和SACL):
Category/Subcategory Setting System Security System Extension Failure System Integrity Failure IPsec Driver Failure Other System Events Failure Security State Change Failure logon/logoff logon Success and Failure logoff Success and Failure Account Lockout Success and Failure IPsec Main Mode Success and Failure IPsec Quick Mode Success and Failure IPsec Extended Mode Success and Failure Special logon Success and Failure Other logon/logoff Events Success and Failure Network Policy Server Success and Failure Object Access File System Success Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Privilege Use Sensitive Privilege Use Failure Non Sensitive Privilege Use Failure Other Privilege Use Events Failure Detailed Tracking Process Termination Failure DPAPI Activity Failure RPC Events Failure Process Creation Failure Policy Change Audit Policy Change Failure Authentication Policy Change Failure Authorization Policy Change Failure MPSSVC Rule-Level Policy Change Failure Filtering Platform Policy Change Failure Other Policy Change Events Failure Account Management User Account Management Failure Computer Account Management Failure Security Group Management Failure Distribution Group Management Failure Application Group Management Failure Other Account Management Events Failure DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success Account logon Kerberos Service Ticket Operations Success and Failure Other Account logon Events Success and Failure Kerberos Authentication Service Success and Failure Credential Validation Success and Failure Entry: 1 Resource Type: File User: CONTOSO\Domain Users Flags: Success Accesses: FILE_WRITE_DATA FILE_APPEND_DATA FILE_DELETE_CHILD DELETE The command was successfully executed.
`