List audited users in a folder or file

Hi friends, is there a way to obtain if the “Enable Auditing” for a file or folder is enabled for an user, for example “Everyone”. The output would be like:

Name: Everyone
Apply onto: This folder only
Access: Select “Failed” for each of these accesses:
• Traverse Folder/Execute File
• List Folder/Read Data
• Read Attributes
• Read Extended Attributes
• Create Files / Write Data
• Create Folders / Append Data
• Write Attributes
• Write Extended Attributes
• Delete Subfolders and Files
• Delete
• Read Permissions
• Change Permissions
• Take Ownership

Thank you in advance!

It’s a day for DACLS!

This gets a little complicated really fast.

q: (name of it, security descriptors of it) of folder "c:\temp"
A: Temp, O:S-1-5-21-1743679890-914043743-99403186-1000G:S-1-5-21-1743679890-914043743-99403186-513D:AI(A;OICI;0x1200a9;;;WD)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
I: plural ( string, security descriptor )

These are the exact permissions of the folder in SDDL. If you don’t read SDDL, you may want to use our inspectors to dive in.

q: (name of it, (trustee of it) of entries of dacls of security descriptors of it) of folder "c:\temp"
A: Temp, Everyone
A: Temp, BUILTIN\Administrators
A: Temp, BUILTIN\Administrators
A: Temp, NT AUTHORITY\SYSTEM
A: Temp, NT AUTHORITY\SYSTEM
A: Temp, BUILTIN\Users
A: Temp, NT AUTHORITY\Authenticated Users
A: Temp, NT AUTHORITY\Authenticated Users
I: plural ( string, security identifier )

And adding a Whose clause to filter for only the Everyone Trustee

q: (name of it, (trustee of it) of entries whose (trustee of it as string = "Everyone") of dacls of security descriptors of it) of folder "c:\temp"
A: Temp, Everyone

And then diving into 3 of your listed permissions of interest

q: (name of it, (trustee of it, traverse permission of it, list permission of it, read attributes permission of it /*and so on...*/) of entries whose (trustee of it as string = "Everyone") of dacls of security descriptors of it) of folder "c:\temp"
A: Temp, ( Everyone, True, True, True )
I: plural ( string, ( security identifier, boolean, boolean, boolean ) )

More Access Control List properties here: https://developer.bigfix.com/relevance/reference/access-control-entry.html

1 Like

Hi Brolly, the procedure show me the permissions for the folder, but not the audit properties.

With Powershell I can obtain this:
get-acl c:\temp -audit |format-list | findstr Audit
Audit : Everyone Failure Modify

But, I need to do this with BigFix because not all my servers have Powershell (Windows 2003).

Than you very much!

Hey there Hectorio,

DACL gives Discretionary Access Control List (permissions)
SACL gives Security Access Control List (Audit)

Check for
audit failure of <access control entry>
audit success of <access control entry>

Hi Brolly33!

I feel frustrated, I can not get the permits and I can not find clear examples that help me get the data I need. Can you support me with a simple example please?

:sweat_smile:

Thank you a lot!

I did mention that it gets complicated… The hard part is that when enumerating the Entries of the SACL of the security descriptors, you cannot get the “name” of the Entry directly.

Here is an example for reporting and if the Traverse/Execute Audit Success or Audit Fail checkmarks are set for a folder named "c:\temp" for each of the trustees of the SACL entries:

q: (trustee of it, audit success of it, audit failure of it) of entries whose (execute permission of it AND traverse permission of it) of sacl of security descriptor of folder "c:\temp"
A: BUILTIN\Administrators, False, True
A: BUILTIN\Users, True, True

image

3 Likes

Hi Brolly33. Thank you very much! With your sample, I have built what I need: Audit Failure for “Control Total”:

(trustee of it, audit failure of it) of entries whose (generic all permission of it) of sacl of security descriptor of folder “c:\Temp”

Thank you very Much!

PD: What is the way for SET the “audit” permission ? :sweat_smile: