Security Audit journal is clogged with unwanted events RRS feed

  • Question

  • Hello,

     I consider auditing a good way to see if my computer is behaving normally without unwanted activity.

     So I enabled auditing for the file system, and I add audit SACLs on trees I want to monitor. So far so good.

     Unfortunately there are annoying audits logged that make difficult finding an abnormal activity among a heap of useless events.

     The most common event is that several programs, OneDrive to begin with, attempt to make file operations with the

     ACCESS_SYS_SEC bit set. The operation of course fails and is logged.

     My first problem is how to avoid an audit in these circumstances while keeping audits for all other failed access bits.

     There is no bit available in the SACL editor at this point (using audit in advanced security tab) for logging or not this failure.

     My second problem is why OneDrive sets this bit ??? if this bit is set by a higher-level system routine for obscure reasons then maybe it should not be audited.

    This is not a new problem, but I would be happy to find a workaround.

    Thank you,

    - gg

    Informations sur le processus :
     ID du processus :  0x2628
     Nom du processus :  C:\Users\me\AppData\Local\Microsoft\OneDrive\OneDrive.exe

    Informations sur la demande d’accès :
     ID de la transaction   {00000000-0000-0000-0000-000000000000}
     Accès :  DELETE
        Lecture données (ou liste de répertoire)
        Écriture données (ou ajout fichier)

     Raisons de l’accès :  DELETE: Accordé par ACE sur le dossier parent D:(A;OICIID;FA;;;S-1-5-21-myident)
        READ_CONTROL: Accordé par la propriété
        SYNCHRONIZE: Inconnu ou non contrôlé
        ACCESS_SYS_SEC: Non accordé en raison d’un élément manquant SeSecurityPrivilege
        Lecture données (ou liste de répertoire): Inconnu ou non contrôlé
        Écriture données (ou ajout fichier): Inconnu ou non contrôlé
        ReadEA: Inconnu ou non contrôlé
        ReadAttributes: Accordé par ACE sur le dossier parent D:(A;OICIID;FA;;;S-1-5-21-myident)

    Masque d’accès   0x113008B
     Privilèges utilisés pour les vérifications d’accès : -
     Nombre de SID restreints : 0

    Monday, May 23, 2016 5:37 PM


  • Hi, 

    As I know, The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL. 

    The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

    And system use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.

    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, May 25, 2016 3:26 PM