SACL and how to use it in a log management system

This post will describe how to enable SACL policies and how to use the events in a log management system.

I recommend use of a GPO to enable SACL on all of the servers. It will still be necessary to enable SACL on the folder or file so it will not clutter all of the event logs.

Creation of the GPO is done via Group Policy manager, create a new policy and expand Computer configuration/policies/Security Settings/Advanced Audit Policy Configuration/Audit policies/Global Object Access Auditing

Select file system and check ‘Define this policy setting’, all GPO work is now done.

Next step is to configure SACL on the folders or files that needs to be monitored.

In this demonstration all work will be done on a folder called tmp.

Select properties and the security tab in properties. On the security tab select the Advanced menu.

Select Add to add users who should be monitored. I recommend Domain users or everyone. This is done via the select principal option

I have selected advanced permissions to give my self more options. I advice everyone to do the same.

It should now be possible to see events in the Event Viewer every time someone opens, creates or deletes a file in tmp.

The Event Id one should be looking for is 4663. This Event ID will show all events, if we want to filter more we have to look at the ’Accesses’ codes

This table shows how to translate the codes into something human readable.

1 537 DELETE
1538 READ_CONTROL
1539 WRITE_DAC
1540 WRITE_OWNER
1541 SYNCHRONIZE
1542 ACCESS_SYS_SEC

The following search strings can be used in ELK:

EventID:4663 AND Accesses:1538

Will show all documents that has been opened

EventID:4663 AND Accesses:1537

Will show all documents that has been deleted

EventID:4663 AND (SubjectUserName: username) or (username)

Will show all documents that has been manipulated by the username selected