Software for defining rules for folder permissions and monitoring deviations

Posted by Kjensen on Server Fault See other posts from Server Fault or by Kjensen
Published on 2012-09-27T08:50:27Z Indexed on 2012/09/27 9:39 UTC
Read the original article Hit count: 179

Filed under:

file-permissions

|

security-audit

Let's say a company has a large number of users, and each user has a home area.

On each share used for home area folders, I would like to define some rules saying who is supposed to have which permissions on the folder.

Then I would like to audit automatically, that this is actually the case and get some sort of report on deviations.

So a rule for \MegaServer\Home01 could be defined something like:

Domain Admins - Full Control
Backup Agent - Read
[Home folder owner] - Full Control

I am talking about Windows platform and Windows servers, although I think it would most likely also work for *nix machines that expose Windows shares.

Does software like this exist?

I could roll my own basic version, but if something already exists, that is usually a better option.

I am aware of tools to make displaying permissions easier (AccessEnum, DumpSec), but that is not what I am looking for.

© Server Fault or respective owner

Related posts about file-permissions

Ubuntu - changing another users file permissions

as seen on Super User - Search for 'Super User'
I have setup Ubuntu as a development web server - however I am experiencing problems with file permissions. I have 2 users, user1 and user2, and they both have been put into the group www-data. I have uploaded a new file with user1 so the file is owned by user1 and the www-data group. At present… >>> More
How to set the default file permissions on ALL newly created files in linux

as seen on Super User - Search for 'Super User'
My question is similar to this: http://stackoverflow.com/questions/228534/linux-default-file-permission but there is no scp/ftp client involved and that question looks abandoned. Simply put: I want to be able to, at some global level decree that all newly created files will never have world writable… >>> More
file permissions and group ownership using sftp

as seen on Super User - Search for 'Super User'
Is there a way to have all files created by a particular user under sftp to have a specific group and file permissions? The user in question, of course, will be a member of the group, but it is not his primary group. In other words, is there a way for sftp to automatically duplicate the effects of… >>> More
Storing file permissions in Subversion repository

as seen on Stack Overflow - Search for 'Stack Overflow'
How do you store file permissions in a repository? A few files need to be read-only to stop a third party program from trashing it but after checking out of the repository they are set to read-write. I looked on google and found a blog post from 2005 that states that Subversion doesn't store file-permissions… >>> More
Maintain file permissions when extracting from a zip file using JDK 5 api

as seen on Stack Overflow - Search for 'Stack Overflow'
I am using java.util.Zip and java.util.ZipEntry to successfully extra a zip file's contents to disk. I would like to maintain the file permissions set when extracting on a *nix file-system. Can anyone point me to the "correct" way to do this? >>> More

Related posts about security-audit

Step-by-Step: The Do-It-Yourself Security Audit

as seen on Internet.com - Search for 'Internet.com'
Step-by-Step: The Do-It-Yourself Security Audit >>> More
pslist causes security audit log failure on non-administrative user account

as seen on Server Fault - Search for 'Server Fault'
The user has RX privs. This event consistently arises in the security logs. How can this be resolved? Or what is the underlying issue here? Some additional information the user has local login disabled and log on as a service enabled. Failure Audit Category: Object Access Event ID 560 Object… >>> More
Excluding specific file types from a security audit in windows server 2008

as seen on Server Fault - Search for 'Server Fault'
Hi, I am looking for a way to exclude specific file types from being logged in the security audits. I have a folder being audited for deletion events and the majority of logged events are .tmp files (such as a temp Word file that is automatically deleted when the app is closed) which I do not care… >>> More
Security Audit Failures in Event Viewer Windows Server 2008R2

as seen on Server Fault - Search for 'Server Fault'
When I am looking at the security tab of my event viewer on a Windows Server 2008 R2, I am showing a ton of Audit Failures with Event ID 4776. The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: randy Source… >>> More
problem of setting audit rules: Syscall name unknown: stime

as seen on Server Fault - Search for 'Server Fault'
I am setting audit rules in /etc/audit/audit.rules. As the requirement : The audit system should be configured to audit all administrative, privileged, and security actions. So I add one line into /etc/audit/auditd.rules: -a exit,always -S stime -S acct -S reboot -S swapon However, after I restart… >>> More