EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Auditting file access recommendations

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
Posted: 04/13/2012 13:59:15
by Adam Singer (Basic support level)
Joined: 04/13/2012
Posts: 2

I'm using CallbackFS to virtually map files (mostly in PNG, PDF, and TIFF formats) to a network share on a machine in an Active Directory domain. Through the help file and this forum I've been able to map the originator token back to a username in the CbFsOpenFileEvent.

In checking the order of calls from applications attempting to access our shared files, I've noticed that some apps open and close the file repeatedly before actually starting any reads, sometimes up to two dozen times. We're required to log access to our files and would rather not log so many times when there's really only one read occurring. My preference, then, is to log the audit in the first read event. My understanding and testing shows that we need to store the username on the context during the open since the read token identifies the system user rather than the remote user. If there are multiple users accessing the same file simultaneously, of course, we must store more than one username on the context.

The best solution I've come up with so far is to have a collection of users on the context, adding users to it in the open event if that username isn't yet in the collection. Then, in the read event, log an audit for all users currently listed on the context and clear the collection. Of course, if one of the users' applications is in the preliminary open/close events without a read when this log occurs, we will still log more than one audit event when they open and read shortly thereafter.

First - is my assumption that multiple users will share the same context for the file correct, even if they are coming from separate machines? Is there any other mechanism that can help us log just one audit for each file read? It's preferable to have extra logs than miss any but the ideal would be to have a one to one mapping.

Thank you!
Posted: 04/14/2012 02:47:55
by Eugene Mayevski (EldoS Corp.)

Assuming that you have set CallAllOpenCloseCallbacks property to true (to get all calls), storing user names and other security info in the collection and in context for further use is the only approach.

Contexts currently are "per-file", which means that the context is the same between first open and last close operations (after the file is closed, context becomes invalid and new opening will allocate new context).

Sincerely yours
Eugene Mayevski



Topic viewed 663 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!