Looking for relevance to determine if auditing is enabled on a specific file(s). Anyone know if this is possible, and has examples please ?
Thanks in advance
Check out SACL inspectors (assuming Windows)
https://developer.bigfix.com/relevance/reference/system-access-control-list.html
q: security descriptor of folder "c:\temp"
A: O:S-1-5-21-4xxxxxxxx7-1xxxxxxx9-1xxxxxxxx0-1xxxxxx2G:DUD:AI(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)S:AI(AU;OICISA;CCSWWPLORC;;;BA)
I: singular security descriptor
q: dacl of security descriptor of folder "c:\temp"
A: D:AI(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)
I: singular discretionary access control list
q: entries of dacl of security descriptor of folder "c:\temp"
E: This expression evaluates to an unrepresentable object of type "access control entry"
I: plural access control entry
q: sacl of security descriptor of folder "c:\temp"
A: S:AI(AU;OICISA;CCSWWPLORC;;;BA)
I: singular system access control list
q: entries of sacls of security descriptors of folder "c:\temp"
E: This expression evaluates to an unrepresentable object of type "access control entry"
I: plural access control entryTo expound on the example a bit…consider this example audit setting
We can get the Trustee and the various audit settings via
q: (trustee of it, audit success of it, audit failure of it, ace flag of it, access mode of it, read permission of it, write permission of it, execute permission of it) of entries of sacls of security descriptors of file "c:\temp\AuditTest\file1.txt"
A: Everyone, True, False, 64, 5, True, True, True
A: BES-ROOT\Administrator, False, True, 128, 6, False, True, False
T: 4.122 ms
I: plural ( security identifier, boolean, boolean, integer, integer, boolean, boolean, boolean )
You can check for existence of some audit settings such as
q: exists entries whose (trustee of it = sid of user "Administrator" and write permission of it) of sacls of security descriptors of file "c:\temp\AuditTest\file1.txt"
A: True
T: 9.947 ms
I: singular boolean
q: exists entries whose (trustee of it as string = "Everyone" and read permission of it) of sacls of security descriptors of file "c:\temp\AuditTest\file1.txt"
A: True
T: 5.286 ms
I: singular boolean
q: exists entries whose (trustee of it = sid of user "Jason" and write permission of it) of sacls of security descriptors of file "c:\temp\AuditTest\file1.txt"
A: False
T: 3.156 ms
I: singular boolean
You can look up all of the ‘sacl entry’ properties via the Introspectors:
q: properties of type "access control entry"
A: read permission of <access control entry>: boolean
A: list permission of <access control entry>: boolean
A: write permission of <access control entry>: boolean
A: create file permission of <access control entry>: boolean
A: append permission of <access control entry>: boolean
A: create folder permission of <access control entry>: boolean
A: read extended attributes permission of <access control entry>: boolean
A: write extended attributes permission of <access control entry>: boolean
A: execute permission of <access control entry>: boolean
A: traverse permission of <access control entry>: boolean
A: delete child permission of <access control entry>: boolean
A: read attributes permission of <access control entry>: boolean
A: write attributes permission of <access control entry>: boolean
A: query value permission of <access control entry>: boolean
A: set value permission of <access control entry>: boolean
A: create subkey permission of <access control entry>: boolean
A: enumerate subkeys permission of <access control entry>: boolean
A: change notification permission of <access control entry>: boolean
A: create link permission of <access control entry>: boolean
A: delete permission of <access control entry>: boolean
A: read control permission of <access control entry>: boolean
A: write dac permission of <access control entry>: boolean
A: write owner permission of <access control entry>: boolean
A: synchronize permission of <access control entry>: boolean
A: access system security permission of <access control entry>: boolean
A: maximum allowed permission of <access control entry>: boolean
A: generic all permission of <access control entry>: boolean
A: generic execute permission of <access control entry>: boolean
A: generic write permission of <access control entry>: boolean
A: generic read permission of <access control entry>: boolean
A: access mode of <access control entry>: integer
A: grant type of <access control entry>: boolean
A: deny type of <access control entry>: boolean
A: audit success of <access control entry>: boolean
A: audit failure of <access control entry>: boolean
A: object inherit of <access control entry>: boolean
A: container inherit of <access control entry>: boolean
A: no propagate inherit of <access control entry>: boolean
A: inherit only of <access control entry>: boolean
A: inherited of <access control entry>: boolean
A: inheritance of <access control entry>: integer
A: ace flag of <access control entry>: integer
A: ace type of <access control entry>: integer
A: trustee type of <access control entry>: integer
A: trustee of <access control entry>: security identifier
T: 5.724 ms
I: plural property
2 Likes