Considerations when auditing alternate NTFS data streams
There are certain considerations you must keep in mind when auditing files with NTFS alternate data streams.
The location of an object being audited is recorded in an event record using two tags, the ObjectName
tag (the path) and the HandleID
tag (the handle). To properly identify which stream requests are being logged, you must be aware of what ONTAP records in these fields for NTFS alternate data streams:
-
EVTX ID: 4656 events (open and create audit events)
-
The path of the alternate data stream is recorded in the
ObjectName
tag. -
The handle of the alternate data stream is recorded in the
HandleID
tag.
-
-
EVTX ID: 4663 events (all other audit events, such as read, write, getattr, and so on)
-
The path of the base file, not the alternate data stream, is recorded in the
ObjectName
tag. -
The handle of the alternate data stream is recorded in the
HandleID
tag.
-
The following example illustrates how to identify EVTX ID: 4663 events for alternate data streams using the HandleID
tag. Even though the ObjectName
tag (path) recorded in the read audit event is to the base file path, the HandleID
tag can be used to identify the event as an audit record for the alternate data stream.
Stream file names take the form base_file_name:stream_name
. In this example, the dir1
directory contains a base file with an alternate data stream having the following paths:
/dir1/file1.txt /dir1/file1.txt:stream1
The output in the following event example is truncated as indicated; the output does not display all of the available output tags for the events. |
For an EVTX ID 4656 (open audit event), the audit record output for the alternate data stream records the alternate data stream name in the ObjectName
tag:
- <Event> - <System> <Provider Name="Netapp-Security-Auditing" /> <EventID>4656</EventID> <EventName>Open Object</EventName> [...] </System> - <EventData> [...] **<Data Name="ObjectType"\>Stream</Data\> <Data Name="HandleID"\>00000000000401;00;000001e4;00176767</Data\> <Data Name="ObjectName"\>\(data1\);/dir1/file1.txt:stream1</Data\> ** [...] </EventData> </Event> - <Event>
For an EVTX ID 4663 (read audit event), the audit record output for the same alternate data stream records the base file name in the ObjectName
tag; however, the handle in the HandleID
tag is the alternative data stream's handle and can be used to correlate this event with the alternative data stream:
- <Event> - <System> <Provider Name="Netapp-Security-Auditing" /> <EventID>4663</EventID> <EventName>Read Object</EventName> [...] </System> - <EventData> [...] **<Data Name="ObjectType"\>Stream</Data\> <Data Name="HandleID"\>00000000000401;00;000001e4;00176767</Data\> <Data Name="ObjectName"\>\(data1\);/dir1/file1.txt</Data\> ** [...] </EventData> </Event> - <Event>