Posts Tagged ‘Audit’

Audit files opened on a server — without turning on auditing

Wednesday, May 25th, 2011

The security officer contacted me with was concern about an administrator looking at files in a user’s home directory.  I was asked whether I could watch the files being opened without turning on auditing. 

OpenFilesUserSessionAuditor.vbs parses session data, and compiles a list of what files are opened by users over time.  The data is written to a temporary database file, and then an Excel report is written.  Duplicate entries are not recorded, and you can regulate the maximum size of the database.

 I did not find any wrongdoing by any administrator.