Audit Resource Access Level 1

struct ae_resaccess {
  unsigned short ae_ra_compname; /* offset */
  unsigned short ae_ra_username; /* offset */
  unsigned short ae_ra_resname;  /* offset */
  unsigned short ae_ra_operation;
  unsigned short ae_ra_returncode;
  unsigned short ae_ra_restype;
  unsigned short ae_ra_fileid;
};

where:

ae_ra_compname is an offset (from the beginning address of the ae_resaccess data structure) to an ASCIIZ string indicating the requester that established the session.
ae_ra_username is an offset (from the beginning address of the ae_resaccess data structure) to an ASCIIZ string indicating the name of the user who initiated the session. If 0, ae_ra_username and ae_ra_compname are the same.
ae_ra_resname is an offset (from the beginning address of the ae_resaccess data structure) to an ASCIIZ string indicating the name of the resource accessed.
ae_ra_operation is one of seven values indicating which operation was performed. These values, defined in the ACCESS.H header file, mean the following: ┌─────────────────┬───────┬────────────────────────────────────────────────────┐
│ SYMBOLIC CON- │ BIT │ MEANING │
│ STANT │ MASK │ │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_READ │ 0x01 │ Data was read or run from a resource. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_WRITE │ 0x02 │ Data was written to a resource. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_CREATE │ 0x04 │ An instance of the resource (such as a file) was │
│ │ │ created; data may have been written to the │
│ │ │ resource while the resource was being created. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_EXEC │ 0x08 │ A resource was run. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_DELETE │ 0x10 │ A resource was deleted. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_ATRIB │ 0x20 │ Attributes of a resource were changed. │
├─────────────────┼───────┼────────────────────────────────────────────────────┤
│ ACCESS_PERM │ 0x40 │ Permissions (read, write, create, execute, and │
│ │ │ delete) of a resource for a user or application │
│ │ │ were changed. │
└─────────────────┴───────┴────────────────────────────────────────────────────┘
ae_ra_returncode gives the return code from the particular operation. If 0, the operation was successful.
ae_ra_restype gives the server message block (SMB) request function code.
ae_ra_fileid gives the server identification number of a file.

[Back: Audit Connection Reject]
[Next: Audit Resource Access Level 2]