Setting up Audit rules with PS

Welcome Forums General PowerShell Q&A Setting up Audit rules with PS

This topic contains 2 replies, has 2 voices, and was last updated by

 
Participant
3 years, 8 months ago.

  • Author
    Posts
  • #22700

    Participant
    Points: 0
    Rank: Member

    Where I work we have several security policies, which include the auditing of certain folders. Below is a script I'm working on, the $folders variable will contain many system folders such as "c:\windows", c:\windows\system32 etc.

    Can anyone forsee an issue with the below script? (It should just run through and put the everyone group in the failure audit with all boxes checked)

    Also, is there a way to display the folder's auditing policy? I tried ($folder | get-acl).getauditrules but it just displays the method properties.

    I would like to also be able to pull a report that would say like

    folder, audit policies
    c:\test, failure – everyone – full control

    Thanks for the assistance in advance!

    $folders = "C:\test"
    $User = "Everyone"
    $Rules = "FullControl"
    $InheritType = "None"
    $AuditType = "Failure"
    $hostn = hostname

    write-host "$hostn"
    foreach($folder in $folders)
    {
    $ACL = new-object System.Security.AccessControl.DirectorySecurity
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,"None",$AuditType)
    $ACL.SetAuditRule($AccessRule)
    $ACL | Set-Acl $Folder
    write-host "Setting Audit Rules on $folder"

    }

  • #22705

    Member
    Points: 0
    Rank: Member

    The only thing I would worry about is that you might be overwriting more than you intended, by creating a new DirectorySecurity object from scratch. (This would require some testing; see if your DACL, Owner, etc are still intact after running your code as-is.)

    You could try this instead, as a way of avoiding that problem:

    foreach($folder in $folders)
    {
        try
        {
            $ACL = $folder | Get-Acl -Audit -ErrorAction Stop
    
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,"None",$AuditType)
            $ACL.SetAuditRule($AccessRule)
            $ACL | Set-Acl $Folder -ErrorAction Stop
            write-host "Setting Audit Rules on $folder"
        }
        catch
        {
            Write-Error -ErrorRecord $_
        }
    }
    
  • #22722

    Participant
    Points: 0
    Rank: Member

    Thanks! Looks pretty good. I'm not too worried about over writting any audting on these folders for the 'everyone group', as it will always be non-existant or less than 'fullcontrol' which is required to be compliant to our security doc.

    Thanks again sir!

The topic ‘Setting up Audit rules with PS’ is closed to new replies.