Let me explain why we need the requirement in the title:
Last year a critical file that was shared between 6 computers has been leaked, and we couldn’t tell who did the action, there have been six suspects + the AD administrator who connects using RDP/SSH to the Windows machines.
So my question is:
Can we get information or log activities in those computers ? eg. what file has been opened/created/edited/deleted.
in case of a remote session, does BigFix gives the possibility to prevent files from being copied, uploaded or attached via emails … or at least tell which computer did the action.
I know it’s hard to achieve this level of specificity, if there is any suggestions I would be greateful.
This looks like it might go beyond the intended capabilities of the BigFix Agent.
The agent does not install at a low level like a Virus Scanner so is not event driven where you can determine when a file is open/changed/deleted etc. This would be far more invasive to the OS (like a permissions based program or virus scanner does) and isn’t the intended application for the BigFix Agent.
You can determine some of the actions such as who altered a file etc and event logs may show some events such as who logged in when, so there is some information that the Agent could help determine.
As to copying through a RD session, you can alter permissions for RD to prevent remote copy and cut/paste to the remote so that is an option (easy to search for) but it won’t stop someone using the remote machine to go to a mount and do it - more difficult for some.