Audit Failure : Clock.pfa (Octopus Deploy 2.5.12.666)

Legacy Uncategorised
1

Is there a solution to get these audit failures to stop? Any suggestions/leads is greatly appreciated…

A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: *******$
Account Domain: *******
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: E:\Octopus\Tentacle\Actors\Clock.pfa
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x430
Process Name: E:\Octopus\Applications.SQ-EMCDS79-83B56653\Octopus.Tentacle\2.5.12.666\Tentacle.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
SYNCHRONIZE
ACCESS_SYS_SEC
ReadData (or ListDirectory)
WriteData (or AddFile)
ReadEA
ReadAttributes

Access Reasons:		-
Access Mask:		0x113008B
Privileges Used for Access Check:	-
Restricted SID Count:	0
2

Hi Mani,

Thanks for getting in touch. Clock.pfa is a file used by Octopus and Tentacle. We don’t create these audit events ourselves, but we might be checking whether the file exists before creating it, or we might be deleting it, which could trigger the audit event due to the way security auditing has been configured on your system.

Hope this helps,

Paul

3

Paul,

Thanks so much for responding! The tentacle is running as the “Local System account” and the Local System account owns and has full control of this file. The audit event still keeps getting created. Would you possibly have any more leads?

Thanks!
Mani

4

Hi Mani,

Thanks for the reply. There’s not much we can do; Octopus needs to access files. It looks like auditing has been turned on a very high level on your system and that’s why you’re getting the events.

As an example, go to Local Security Policy, go to Audit Policy, and find the Audit Object Access policy. Change it to audit success/failure messages, then try to do anything. The security event log will fill with errors about opening files. The solution would be to turn the policy off.

Paul