File Audit Policy Script

Microsoft Windows xp professional w/serv...
February 3, 2010 at 13:14:44
Specs: Windows XP Pro
Hey everyone,
i am lost on this subject.
I need to enable individual file auditing on 200+ files within the system32 folder. i am not allowed to use the parent for to turn on auditing and have those files inherit the settings from the parent folder. we have been doing this manually and takes a few solid hours to complete. I recently made a batch script using cacls to set the permissions for those files, and i assumed setting the individual file audits would be just as easy.
i have come accross some commands which seem to work, but are either for remote systems or dont get nearly specific enough.
these computers are not connected to a network so each machine needs to be done locally.
ive seen things of maybe editing the registry or something to have the script change the settings from the back end or something. i would even be ok with guiding the mouse or something to click the appropriate check boxes or something but thats just wishfull thinking.
does anyone have any ideas on how to do this?
here are the settings that given files in the system32 folder need:
no success are need
only failed for these:
traverse folder / execute file
list folder / read data
create files / write data
create folders / append data
delete
change permissions
take ownership

any ideas? do i need to do it in vb? if so, where would i begin with this.
thanks


See More: File Audit Policy Script

Report •


#1
February 7, 2010 at 08:19:37
Don't understand what your question is, and maybe that's why you don't get any replies...

Report •

#2
February 8, 2010 at 05:55:45
lol
im looking for a way to automate the audit settings for individual files.
does that make more sense?

Report •

#3
March 25, 2010 at 09:05:12
hjahmad,

I am looking for the same thing. We might be in the same line of work, lol. Powershell seems to have the functionality, although I haven't quite figured it out. The following seems to be a start:

$path = '<file path>'
$ACL = new-object System.Security.AccessControl.FileSecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("<domain\User or group>","<RuleName>","<Flag to Activate>")
$ACL.SetAuditRule($AccessRule)

Definitions of the variables used above

<File path> is the location and file name in this format:

<drive>:\<folder path>\filename.extension

example: c:\windows\system32\cmd.exe

<domain\username> is the name of the account or group to audit

Example(group): . company\Everyone
Example(user): localPC\seitconsult

<RuleName> is the Access rule/right being audited
ReadData
Specifies the right to open and copy a file or folder. This does not include the right to read file system attributes, extended file system attributes, or access and audit rules.

ListDirectory
Specifies the right to read the contents of a directory.

WriteData
Specifies the right to open and write to a file or folder. This does not include the right to open and write file system attributes, extended file system attributes, or access and audit rules.

CreateFiles
Specifies the right to create a file.
This right requires the Synchronize value. Note that if you do not explicitly set the Synchronize value when creating a file or folder, the Synchronize value will be set automatically for you.

AppendData
Specifies the right to append data to the end of a file.

CreateDirectories
Specifies the right to create a folder.
This right requires the Synchronize value. Note that if you do not explicitly set the Synchronize value when creating a file or folder, the Synchronize value will be set automatically for you.

ReadExtendedAttributes
Specifies the right to open and copy extended file system attributes from a folder or file. For example, this value specifies the right to view author and content information. This does not include the right to read data, file system attributes, or access and audit rules.

WriteExtendedAttributes
Specifies the right to open and write extended file system attributes to a folder or file. This does not include the ability to write data, attributes, or access and audit rules.
ExecuteFile Specifies the right to run an application file.

Traverse
Specifies the right to list the contents of a folder and to run applications contained within that folder.

DeleteSubdirectoriesAndFiles
Specifies the right to delete a folder and any files contained within that folder.
ReadAttributes Specifies the right to open and copy file system attributes from a folder or file. For example, this value specifies the right to view the file creation or modified date. This does not include the right to read data, extended file system attributes, or access and audit rules.

WriteAttributes
Specifies the right to open and write file system attributes to a folder or file. This does not include the ability to write data, extended attributes, or access and audit rules.
Delete Specifies the right to delete a folder or file.

ReadPermissions
Specifies the right to open and copy access and audit rules from a folder or file. This does not include the right to read data, file system attributes, and extended file system attributes.

ChangePermissions
Specifies the right to change the security and audit rules associated with a file or folder.

TakeOwnership
Specifies the right to change the owner of a folder or file. Note that owners of a resource have full access to that resource.

Synchronize
Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation.
The Synchronize value is automatically set when allowing access, and automatically excluded when denying access.
The right to create a file or folder requires this value. Note that if you do not explicitly set this value when creating a file, the value will be set automatically for you.

FullControl
Specifies the right to exert full control over a folder or file, and to modify access control and audit rules. This value represents the right to do anything with a file and is the combination of all rights in this enumeration.

Read
Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.

ReadAndExecute
Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.

Write
Specifies the right to create folders and files, and to add or remove data from files. This right includes the WriteData right, AppendData right, WriteExtendedAttributes right, and WriteAttributes right.

Modify
Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.

<Flag to activate > is the check box you want checked
“Success” checks the success box
“Failure “ checks the failure box
“None” clears any check boxes

So if I am getting this correct, to audit ExecuteFile rights for Success on the file c:\windows\system32\cmd.exe, script the following in PowerShell:


$path = 'c:\windows\system32\cmd.exe'
$ACL = new-object System.Security.AccessControl.FileSecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","ExecuteFile”,”Success")
$ACL.SetAuditRule($AccessRule)


I hope this is right for both our sakes!


Report •

Related Solutions

#4
March 25, 2010 at 09:34:57
Scrap my last. Here's one that works

$ACL = new-object System.Security.AccessControl.DirectorySecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("domain\seitconsult","Modify","success")
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\cmd.exe"


Report •

#5
March 25, 2010 at 21:24:30
i have only a "gist" of what you are talking about. I tried to help, looked at "auditusr", didn't understand about three quarters of it and couldn't figure out syntax, but auditusr lets you set these things up without powershell (XP sp2,3), to my understanding. Anyway i copied your post because i might have to mess with security-issues someday (yechh!).

Report •

#6
March 26, 2010 at 10:27:40
Last update to the script... I hope. The Following PowerShell script will turn on auditing for the ACL on Arp.exe. For the group "users" it will turn on failure audit For Read, as well as Read and Execute. Also for the group users, it will turn on Success Auditing for all the powers above read and execute. note the change from "SetAuditRule" to "AddAuditRule" as SetAuditRule overwirtes the ACL where AddAuditRule appends to the ACL. Rinse and repeate for all files. I'm sure there is a way to use "Foreach" loop with an array to make this cleaner for multiple files, but I haven't gone that far into PowerShell as a scripting language.

$ACL = new-object System.Security.AccessControl.FileSecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","ReadAndExecute","Failure")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","Write","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","ChangePermissions","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","DeleteSubdirectoriesAndFiles","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","WriteData","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","AppendData","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","WriteAttributes","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","WriteExtendedAttributes","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","Delete","Success")
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl "C:\windows\system32\arp.exe"


Report •

#7
March 26, 2010 at 13:52:52
Last one, I promise, It is all clean. Brings the list of files that need the audit policies changed on in from a text file.
to sample the layout of filelist.txt:

c:\windows\system32\File1.ext
c:\windows\system32\File2.ext

Now to the actual PS script:

$erroractionpreference = "SilentlyContinue" #continue on errors, do no display message

$Filelist = Get-Content "C:\scripts\filelist.txt"#Builds array of file names for security changes, put the list of Files into a text file and set this line to point to it.

$ACL = new-object System.Security.AccessControl.FileSecurity #Focus on File Level NTFS DACLs

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("administrators","FullControl","Failure") #create object and set desired audit ACL vales into it
$ACL.AddAuditRule($AccessRule) #put the new rules into the ACL object
foreach($File in $FileList)
{$ACL | Set-Acl $file} #commit changes to every file in the filelist array

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","Traverse","Failure") #create object and set desired audit ACL vales into it
$ACL.AddAuditRule($AccessRule) #put the new rules into the ACL object
foreach($File in $FileList)
{$ACL | Set-Acl $file} #commit changes to every file in the filelist array

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","Modify","Failure") #create object and set desired audit ACL vales into it
$ACL.AddAuditRule($AccessRule) #put the new rules into the ACL object
foreach($File in $FileList)
{$ACL | Set-Acl $file} #commit changes to every file in the filelist array

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","ChangePermissions","Failure") #create object and set desired audit ACL vales into it
$ACL.AddAuditRule($AccessRule) #put the new rules into the ACL object
foreach($File in $FileList)
{$ACL | Set-Acl $file} #commit changes to every file in the filelist array

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Users","TakeOwnership","Failure") #create object and set desired audit ACL vales into it
$ACL.AddAuditRule($AccessRule) #put the new rules into the ACL object
foreach($File in $FileList)
{$ACL | Set-Acl $file} #commit changes to every file in the filelist array


Report •

#8
April 8, 2010 at 05:31:34
Also you can tighten it further by adding the acl rules one after
the other then run the loop.

My question is how do I turn off inheritance for the auditng on
each file in the loop.


Report •

#9
April 12, 2010 at 05:07:29
can you possibly detail the full process you use fo implementing this script? any downloads or installs?
before i use this on all the computers im gonna have to test it so i am sure it doesnt interfere with any of the instrumentation.
this looks great. i am currently using a pretty fruity work around which does the job but isnt so clean and still requires some minor manual work. hopefully this can clean up those issues too.

and thanks for all your help


Report •

#10
April 16, 2010 at 10:56:57
I think just passing a few more perameters will do the trick. Havn't tested it yet.
...FileSystemAuditRule("everyone",Modify","ContainerInherit","ObjectInherit","None","failure")....will that disable inheritance on the files when the access rule is applied.

Report •


Ask Question