I am looking for documentation and/or examples of how to support file audits within a file system driver. Specifically, I am wondering if the driver is responsible for generating the audit events or if merely supporting SACL’s from IRP_MJ_QUERY_SECURITY and IRP_MJ_SET_SECURITY is sufficient. I have both routines working properly (when accessed by Explorer->Properties) but no events are triggered.
There are two routines that appear useful - SeSetAuditParameter() and SeReportSecurityEvent() - but I cannot yet find documentation about them or reverse engineer them.
I am tempted to generate the 4658, 4656, and 4663 events manually, though this seems tedious and might not even solve my problem.
Any and all help will be most welcome.
Many thanks,
Steve
In general, the file system does not directly generate the audit events. There is the “GenerateOnClose” that you need to set (in the ACCESS_STATE data structure as I recall) that is returned from a call to the SeOpenObjectAuditAlarm (and it is the latter that generates most audit events).
However, you state “no audit events are triggered”. Can you confirm that auditing has been enabled on the system in the first place (since it is not by default)? You can call SeAuditingFileEvents or SeAuditingFileOrGlobalEvents in the driver to determine this (I suspect they just look at global state variables).
Tony
OSR
Hi Tony,
Thank you for the suggestions and pointer to SeOpenObjectAuditAlarm. I followed the example given at http://msdn.microsoft.com/en-us/library/windows/hardware/ff538878(v=vs.85).aspx and have the audit events mostly working.
Your assistance is most appreciated.
Cheers,
Steve