5 Replies Latest reply on Jan 30, 2013 12:10 PM by Bill Robinson

    Security Auditing

    Justin Dettmann



      If I have an auditing job setup to audit specific files on a fileserver and someone makes a change to the file externally (not via bladelogic), will this be recorded? ie will i be able to see who made the change to the file? Or would an audit job not be the right kind of job for this?



        • 1. Re: Security Auditing



          The Bladelogic agent doesn't continuously monitor files for changes -- this is by design, so that it doesn't consume significant amounts of CPU/memory on your target server, much of the time.  As such, if a file change is made externally as you describe, it will only be detected the next time an audit (or did you mean snapshot?) job is run against that server.  Blade can tell you what exactly has changed (file content, or meta-data like ownership and permissions).  But for more detailed forensics, you will have to rely on the file system's native auditing capabilities.


          By the way, a snapshot job might be more appropriate for your use-case.  An audit job is intended to compare files (or configurations, registry entries, etc.) on a server against those on a reference server -- the "gold standard" -- and to keep them in sync if they have drifted apart.

          • 2. Re: Security Auditing
            Justin Dettmann

            Hi Neeran,


            Thanks for the response. So is there not a way to track what changes have been made to a file and who made the changes?



            • 3. Re: Security Auditing

              Via a snapshot job , you can check what changes have been made to a file(metadata like permissions , ownership etc).. along with it's content.(i.e. you can compare the file contents).


              But the information about who made the changes in NOT captured in snapshot job.


              Thanks & Regards,


              1 of 1 people found this helpful
              • 4. Re: Security Auditing

                Right, as Gauri said, Bladelogic doesn't capture who made the changes.  It can track what changes were made -- not just file metadata but also contents if you enable content tracking.  Note also that Blade will only inspect the file at specific points in time, each time the snapshot job is run.  In between these job runs, it's possible that multiple users made multiple changes to the file.  We'd be oblivious to that...


                The native file system's audit trail is your best hope of tracking who made the changes.  And the 'who' (user identity) will of course be the local OS user in whose context the changes were made.

                1 of 1 people found this helpful
                • 5. Re: Security Auditing
                  Bill Robinson

                  if you are looking for something that does real-time monitoring, and will likely capture the 'who' you should be looking at a different bmc product line - i believe bppm/patrol.