File auditing

What is file auditing?

An inspection of all the events occurring within file servers is called file auditing. This includes the monitoring of file access with details of who accessed what file, when, and from where; an analysis of the most accessed and modified files; successful and failed file access attempts; and more. The main objective of the file server auditing process is to keep track of all the operations taking place within the configured server environments and ensure data security and visibility throughout the data life cycle.

How does file auditing work?

The following framework is for the file auditing process.

  •  
    Configure
    The necessary SACLs for file servers, failover clusters, and workgroup servers for an accurate and comprehensive audit.
  •  
    Audit
    File and folder operations in real time, based on the auditing policies specified in the configured servers.
  •  
    Report
    On file operations such as read, write, security permission changes, and more for internal and external auditing purposes.
  •  
    Alert
    Technicians when the system captures activities that are not in line with prescribed usage policies.
  •  
    Investigate
    The root cause of anomalies and implement corrective actions to patch the loopholes through which security breaches can occur.

Important file audit event IDs

The following events should be monitored to speed up the detection of any actions that can cause damage within file server environments.

Event IDs Description What it means
4656 A handle to an object was requested. Monitors requests to access files and folders.
4658 The handle to an object was closed. Aids in knowing how long a handle was open.
4660 An object was deleted. Generated when an object is deleted.
4663 An attempt was made to access an object. Indicates that an action was attempted on an object.
4670 Permissions on an object were changed. Detects when ACLs are changed on an object.
4907 Auditing settings on object were changed. Monitors changes in the SACL of an object.

Limitations of native file auditing

While native file auditing has sufficient tools to help organizations build a basic auditing system, it is far removed from ground reality. It's next to impossible to implement an actionable file auditing system using native methods, let alone a system that fulfils the mandates prescribed by regulatory laws.

A few notable downsides of native file auditing are:

  • It is suitable only for smaller environments. It does not scale up to meet the audit rigours of a large organization, causing performance issues.
  • The event logs generated in the native auditing tool will be overwritten once the disk storage capacity becomes full.
  • Single-console reporting is impossible. All events are haphazardly logged and requires clever scripting and correlation to extract who-did-what-and-on-which-file-style reports.
  • Important audit data is difficult to single out because of poor search capabilities.
  • The same event might have a different ID in different versions of Windows file servers, so the task of covering them all falls on the script writer.
  • The number of log entries generated for every action is too many. Hence, finding risky events which might lead to security incidents is time-consuming and task-intensive.
  • Any suspicious activities performed within the file system would go unnoticed and drilling down into the cause of mishaps, if any, would be difficult due to the absence of alerting or email notification capabilities.
  • It doesn't support compliance-specific reporting.

How can DataSecurity Plus cater to your file auditing needs?

DataSecurity Plus, ManageEngine's file auditing solution, empowers you to:

  • Continuously monitor file and folder changes, such as read, write, delete, copy, paste, move, etc. With file access auditing, you can quickly detect potential threats to your data.
  • Keep a check on unauthorized changes made to the files and folders post business hours, sudden spikes in the number of modifications made in files, repeated failed access attempts, and other suspicious events using file integrity monitoring.
  • Configure real-time change alerts and instant threat responses to catch rogue users, and execute custom scripts to shut down attacks using ransomware detection software.
  • Comply with industry-specific and region-specific IT regulations such as the GDPR, HIPAA, PCI DSS, FISMA, GLBA, etc. and resolve issues quickly using compliance auditing software.
  • Schedule a wide variety of consolidated user, share, host, and location-specific reports.
Download a free, 30-day trial
Email Download Link