Need relevance to check file and folder permission as per our hardening process

I have this setting for folder and I wanted to write one check to verify the exact setting on the machine.

“%SystemRoot%\System32\drivers”,0,“D:PAR(A;OICI;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)”

Can someone help me to get some compliance relevance for this.

Check http://support.bigfix.com/inspectors/Authorization%20Objects_Any.html#security%20descriptor

I believe you need something like:

sacl of security descriptor of folder "C:\Windows\System32\drivers"

Note that you can’t get a result out of FixletDebugger/QnA directly as you need privileges that the client has to get sacls

1 Like

Would this work in the fixlet debugger if run using PSExec?

1 Like

It might, it basically needs the permissions of LOCAL SYSTEM and you can do that with PSExec yes though I haven’t exactly tried

The easiest way would be to request this through the local client using Fixlet Debugger instead of its native evaluation.

1 Like

Hi

I need to compare the security setting as per my previous post…

What @AlanM is recommending is to configure the Fixlet Debugger to use the local BESClient process to perform the query. To do this, look under Debug menu --> Evaluate Using --> select Local Client Evaluator.

The phrases take longer to evaluate, but because the local client on your PC actually performs the Evaluation, it’s a more realistic representation of the results for certain types of queries.

@TimRice, can you please help me to build the checks to compare this security setting.

I’m not sure what you are asking me for. The relevance clause, as given by @AlanM, will return a value when evaluated by your system(s). I can only tell you what my development system returns for the same clause …

IF (SACL of Security Descriptor of Folder “C:\Windows\System32\drivers” as string) = “S:AI” THEN true ELSE false

Download a copy of the FixletDebugger that has the same version as the IEM Client you are running, configure it to use your local IEM Client for the Evaluation and evaluate Alan’s clause and see what you get as a return value.

If you require assistance creating custom content, I believe IBM Professional Services can be contracted to perform that type of work for you. I don’t work for IBM, I’m a Customer who uses IEM for my job, and I’m willing to share what I know in exchange for hopefully learning.something new myself.

1 Like

What you need is the security descriptor of the folder, specifically the dacl of the security descriptor (the sacl mentioned above is for the “auditing entry” whereas you’re concerned about access permissions). If you’re confident you want those exact permissions for that folder on all your servers, then you can use this relevance:

(dacl of security descriptor of folder (expand environment string of “%25SystemRoot%25\System32\drivers”) as string != “D:PAR(A;OICI;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)”) | true

Note: This relevance defaults to ‘true’ if any errors are encountered. It can be modified to provide specific error messages instead to suit your needs.

Hi,

I think we need to first understand the meaning of all components. Please refer the link below.

http://www.sans.org/reading-room/whitepapers/windows/confusion-security-templates-989

I am using secedit command to validate the current setting. for %SystemRoot%\System32, I am not getting any mismatch for the permission setting. but your relevance give true. Note I have removed | true part from your relevance.

If you need a custom Fixlet/Task to fulfill your exact needs, then I would second Tim Rice’s statement about engaging IBM Professional Services. They do provide custom content authoring, and contracts to support your own efforts at authoring content.

This forum is mostly users helping each other. Josh posted a great place to start. If the relevance he posted isn’t returning the true/false that you expect, then it’s really incumbent upon you to try to understand why that is occurring.

The first place to start would be to take apart Josh’s relevance. If the dacl doesn’t match what you expect (true/false), then find out what the dacl actually is, by removing the boolean comparison and just displaying the string result:

q: dacl of security descriptor of folder (expand environment string of “%25SystemRoot%25\System32\drivers”) as string
A: D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)

Thanks for your advise. I have done all. I do appreciate your help. Thanks.