Setting up Audit rules with PS

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of ertuu85 ertuu85 1 year, 9 months ago.

  • Author
    Posts
  • #22700
    Profile photo of ertuu85
    ertuu85
    Participant

    Where I work we have several security policies, which include the auditing of certain folders. Below is a script I'm working on, the $folders variable will contain many system folders such as "c:\windows", c:\windows\system32 etc.

    Can anyone forsee an issue with the below script? (It should just run through and put the everyone group in the failure audit with all boxes checked)

    Also, is there a way to display the folder's auditing policy? I tried ($folder | get-acl).getauditrules but it just displays the method properties.

    I would like to also be able to pull a report that would say like

    folder, audit policies
    c:\test, failure – everyone – full control

    Thanks for the assistance in advance!

    $folders = "C:\test"
    $User = "Everyone"
    $Rules = "FullControl"
    $InheritType = "None"
    $AuditType = "Failure"
    $hostn = hostname

    write-host "$hostn"
    foreach($folder in $folders)
    {
    $ACL = new-object System.Security.AccessControl.DirectorySecurity
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,"None",$AuditType)
    $ACL.SetAuditRule($AccessRule)
    $ACL | Set-Acl $Folder
    write-host "Setting Audit Rules on $folder"

    }

  • #22705
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    The only thing I would worry about is that you might be overwriting more than you intended, by creating a new DirectorySecurity object from scratch. (This would require some testing; see if your DACL, Owner, etc are still intact after running your code as-is.)

    You could try this instead, as a way of avoiding that problem:

    foreach($folder in $folders)
    {
        try
        {
            $ACL = $folder | Get-Acl -Audit -ErrorAction Stop
    
            $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,"None",$AuditType)
            $ACL.SetAuditRule($AccessRule)
            $ACL | Set-Acl $Folder -ErrorAction Stop
            write-host "Setting Audit Rules on $folder"
        }
        catch
        {
            Write-Error -ErrorRecord $_
        }
    }
    
  • #22722
    Profile photo of ertuu85
    ertuu85
    Participant

    Thanks! Looks pretty good. I'm not too worried about over writting any audting on these folders for the 'everyone group', as it will always be non-existant or less than 'fullcontrol' which is required to be compliant to our security doc.

    Thanks again sir!

You must be logged in to reply to this topic.