Chris, I have configured directory tampering in Server Sensor 6.5 on Windows 2000 and it runs successfully. Here's the configuration
Type = 8 ; Type : Event Outcome 8 : success Category= 0 ; 0 : match all categories ID = 560 ; 560 = Object Access Origin = Security ; Security (Security Event Viewer Log) Regular Expression 1537|4417|4418|4420|4424 Where : 1537 = Delete 1538 = Read_CONTROL 1541 = synchronize 4416 = ReadData(or List Directory) 4417 = WriteData(or Add File) 4418 = AppendData (or AddSubdirectory or CreatePipeInstance) 4419 = ReadEA 4420 = WriteEA 4423 = ReadAttributes 4424 = WriteAttributes Info @String0 = Object Server : @String1 = Object Type : @String2 = File Name : @String3 = New Handle ID : @String4 = Operation ID Start @String5 = Operation ID End @String6 = Process ID @String7 = Primary User Name : @String8 = Primary Domain : @String9 = Primary Logon ID : @String10 = Client User Name : @String11 = Client Domain : @String12 = Client Logon ID : @String13 = Accesses : @String14 = Privileges : Audit -> File ->File List : <drive_name>:\<dir_name>\* <drive_name>:\<dir_name>\<subdir_name>\* I used the SecureLogic scripting like in the help file about file tampering to monitor file tampering, may be it's basically the same with directory permission. And don't forget to enable auditing on Security properties of the directory/files. Unfortunately I have no luck when I try to use the SecureLogic script I used on server sensor 6.5 as the Fusion script on Server Sensor 7.0. It detected the events but failed to respond. It said something like unknown command Fusion script error. Anybody has the experience on using Fusion scripting on Server sensor 7.0 ----- Original Message ----- From: "Cunningham, Chris, R." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 07, 2004 8:18 PM Subject: [ISSForum] Monitoring permission changes to directories with server sensor > We are attempting to use server sensor to monitor changes to directory permissions on our Win2000 servers via the user defined rules. the event ID is 560, but we have not had any luck, even though we are currently monitoring several other event ID's. The events do appear in the event log, but never get picked up by the server sensor (ver 6.5) Does anyone know of any other way to monitor these events and alert on them? > > Thanks, > > Chris _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
