File Audit over writing

This topic contains 2 replies, has 1 voice, and was last updated by  ertuu85 2 years, 2 months ago.

  • Author
    Posts
  • #30455

    ertuu85
    Participant

    Below is the function I've written to, check a file for audit permissions, and if it isnt met it then attempts to add them.

    It seems to work ok except when say...c:\test needs failure with full control audited and later change permissions set to success. Each audit just overwrites all other audits. I thought changing

    $ACL.setAuditRule($AccessRule)

    to

    $ACL.addAuditRule($AccessRule)

    But it still just removes all audits and sets the audits to what was just passed to it, instead of adding the additional audits.

    function test-audit($path, $user, $flags, $audit, $notes, $section)
    
    {
    	if(test-path $path)
    	{
    		#full control = DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, TakeOwnership
    		if(((get-acl $path -audit).audit) | ? {$_.identityreference -eq $user})
    		{
    
    			if((((get-acl $path -Audit).audit) | ? {$_.identityreference -eq $user -and $_.auditflags -like "*"+$flags+"*" -and $_.filesystemrights -eq $audit}))
    			{
    				write-host "Audit met"
    				$mv = "$path has the correct OSR Auditing."
    				$state = "Passed"
    				add-content whatever.csv ""
    			}
    			else
    			{
    				try
    				{
    					write-host "try 1"
    					if(get-item $path)
    					{
    						$acl = (Get-Item $path -erroraction stop).GetAccessControl('Access')
    					}
    					else
    					{
    						$ACL = $path | Get-Acl -Audit -ErrorAction Stop
    					}
    
    					$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$audit,"None","None",$flags)
    					$ACL.addAuditRule($AccessRule)
    					$ACL | Set-Acl $path -ErrorAction Stop
    					write-host "Setting Audit Rules on $path"
    					$mv = "$path has the correct OSR Auditing."
    					$state = "Passed"
    					add-content whatever.csv ""
    			
    				}
    				catch
    				{
    					write-host "Entered the catch 1"
    					$mv = $error[0]
    					
    					$state = "Failed"
    					write-host "$mv"
    					add-content whatever.csv ""
    				}
    			}
    		}
    		else
    		{
    			try
    			{
    				write-host "try 2"
    				if(get-item $path)
    				{
    					$acl = (Get-Item $path -erroraction stop).GetAccessControl('Access')
    				}
    				else
    				{
    					$ACL = $path | Get-Acl -Audit -ErrorAction Stop
    				}
    				$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$audit,"None","None",$flags)
    				$ACL.addAuditRule($AccessRule)
    				$ACL | Set-Acl $path -ErrorAction Stop
    				write-host "Setting Audit Rules on $path"
    				
    				$mv = "$path has the correct OSR Auditing."
    				$state = "Passed"
    				add-content whatever.csv ""
    			
    			}
    			catch
    			{
    				write-host "Entered the catch 2"
    				$mv = $error[0]
    				
    				$state = "Failed"
    				write-host "$mv"
    				add-content whatever.csv ""
    			}
    		}
    		
    	}
    	else
    	{
    		write-host "loop3, file doesnt exist"
    		$mv = "File or directory does not exist"
    		$state = "Passed"
    		add-content whatever.csv ""
    	}
    }
    

    I also noticed I can't change some files in the windows folder, even as an administrator running powershell with elevated privileges...I CAN make these changes through explorer, but not through powershell

    Attempted to perform an unauthorized operation.
    PS C:\Users\IBM_ADMIN\Desktop\SCAN> $error[0]
    Set-Acl : Attempted to perform an unauthorized operation.
    At line:30 char:35
    +                     $ACL | Set-Acl < <<<  $path -ErrorAction Stop
        + CategoryInfo          : PermissionDenied: (C:\Windows\System32\winload.exe:String) [Set-Acl], UnauthorizedAccess
       Exception
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
    
  • #30459

    ertuu85
    Participant

    Well I think I know what's going on then....

    I'll first have to check the file for existing audits, then plug them into addauditrule($whatever) and then do the

    $ACL | Set-Acl $path -ErrorAction Stop

    Once all audit rules have been reloaded into it, to avoid just over writing them.

    I think I can handle that part, but can anyone tell me why I cant edit the audits of some system files through the shell (when I can through the explorer GUI)

    EDIT:

    Got it to keep the existing audits and add through the function using the below code:

    function test-audit($path, $user, $flags, $audit, $notes, $section)
    
    {
    	if(test-path $path)
    	{
    		#full control = DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, TakeOwnership
    		if((get-acl $path -audit).audit | ? {$_.identityreference -eq $user -and $_.auditflags -like "*"+$flags+"*" -and $_.filesystemrights -eq $audit})
    		{
    
    			write-host "loop1 - good!"
    			$mv = "$path has the correct OSR Auditing."
    			$state = "Passed"
    			add-content ScanResults.csv "$section!C020-S-Gv1.0-WIN-MULTI!$svr!$os!$ls!Log Access Attempts!$path - Directory Audit Setting WIN-MULTI!$state!$mv!OSR auditing on $path matches requirements in ISEC document (see note column)!$notes"
    		}
    		else
    		{
    			try
    			{
    				write-host "entering loop 1"
    				try
    				{
    					$ACL = (Get-Item $path -erroraction stop).GetAccessControl('Access')
    				}
    				catch
    				{
    					$ACL = $path | Get-Acl -Audit -ErrorAction Stop
    				}
    				
    				write-host $acl
    				
    				$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$audit,"None","None",$flags)
    				$ACL.addAuditRule($AccessRule)
    				
    				foreach($auditrule in (get-acl $path -audit).audit)
    				{
    					$user = $auditrule.identityreference
    					$audit = $auditrule.Filesystemrights
    					$flags = $auditrule.auditflags
    					
    					$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$audit,"None","None",$flags)
    					$ACL.addAuditRule($AccessRule)
    				}				
    					
    				$ACL | Set-Acl $path -ErrorAction Stop
    				write-host "Setting Audit Rules on $path"
    				
    				$mv = "$path has the correct OSR Auditing."
    				$state = "Passed"
    				add-content ScanResults.csv "$section!C020-S-Gv1.0-WIN-MULTI!$svr!$os!$ls!Log Access Attempts!$path - Directory Audit Setting WIN-MULTI!$state!$mv!OSR auditing on $path matches requirements in ISEC document (see note column)!$notes"
    			}
    			catch
    			{
    				write-host "Entered the catch"
    				$mv = $error[0]
    				
    				$state = "Failed"
    				write-host "$mv"
    				add-content ScanResults.csv "$section!C020-S-Gv1.0-WIN-MULTI!$svr!$os!$ls!Log Access Attempts!$path - Directory Audit Setting WIN-MULTI!$state!$mv!OSR auditing on $path matches requirements in ISEC document (see note column)!$notes"
    			}
    		
    		}
    		
    	}
    	else
    	{
    		write-host "loop3, file doesnt exist"
    		$mv = "File or directory does not exist"
    		$state = "Passed"
    		add-content ScanResults.csv "$section!C020-S-Gv1.0-WIN-MULTI!$svr!$os!$ls!Log Access Attempts!$path - Directory Audit Setting WIN-MULTI!$state!$mv!OSR auditing on $path matches requirements in ISEC document (see note column)!$notes"
    	}
    }
    

    Still just need insight on why I cant edit those pesky files through powershell ;/

  • #30462

    ertuu85
    Participant

    I've got it, seems the files I'm having issues with are the ones with TrustedInstaller as the owner.

    Using the function from: https://gallery.technet.microsoft.com/scriptcenter/Set-Owner-ff4db177?tduid=%286497457768c0991c7bb37a8a18f33f92%29%28256380%29%282459594%29%28TnL5HPStwNw-1AWLZfQfM7bq9r8NY2_P.g%29%28%29

    I'm able to change the owner to admins, make the audit changes, then change them back to their original settings.

You must be logged in to reply to this topic.