The xaudit command adds entries in the system access control list (SACL). Each entry in this list causes an audit message to be logged when a specified user or group attempts to gain access to the resource. The xaudit‑ command removes entries from the SACL, and is valid for resource types FILE, PRINTER, REGKEY, DISK, COM, or SHARE.
This command has the following format:
xaudit className resourceName \
[failure(auditMode)] \ [gid(groupName)] \ [success(auditMode)] \ [uid(userName)]
Specifies the name of the resource type to which the resource belongs.
Logs unauthorized access attempts to the resource.
Valid values for auditmode depend on the resource type to which it belongs:
Note: Only NTFS files can have audit modes
For all resource types: none and all.
Specifies the groups whose access to the resource is being audited. When specifying more than one group, separate the names with spaces or commas.
Specifies the name of the resource record whose system access control list (SACL) is being modified.
Logs authorized accesses to the resource.
Valid values for auditmode depend on the resource type to which it belongs:
Note: Only NTFS files can have audit modes
For all resource types: none and all.
Specifies the user whose access to the resource is being audited. When specifying more than one user, separate the user names with spaces or commas. To specify all users who are defined in the Windows NT database, specify an asterisk (*) for userName.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|