Guys,
I need to be able to verify the permissions of a given file. Then, if the permissions are not set correctly, use bigfix script to make the necessary file permissions adjustment.
Can someone provide a good example of how to accomplish this fixlet?
Thanks
And a thread on folder permissions here: Need relevance to check file and folder permission as per our hardening process
For the permissions adjustment, check out
or CHMOD command on non-windows.
Either should be usable from a BigFix Action.
Guys, how would I use and if then statement for querying the current permissions? I am looking something like if c:\software\test.test.exe everyone has full permission, then, execute icals to change to read only.
A fixlet.
So, the fixlet relevance would be set to check the file permissions.
Then the fixlet action can be a simple dos command to make a file read only. I think attrib is what you want to look for.
Thats what I really need to learn on how to do.
If you are only looking to see if it is a readonly file, maybe this will help.
readonly of
Plural: readonlys Returns TRUE if the file or folder (the filesystem object) is marked as read-only. Win, WM
Viking,
I am thinking to check the security settings like Administrator, System, Users, TrustedInstaller. it is located in the security tab of the file or folder.
This might be helpful, I think the examples are a bit difficult to step through.
q: (trustee of it, generic all permission of it, generic execute permission of it, generic read permission of it, generic write permission of it) of entries of dacls of security descriptors of folder "c:\temp"
A: BUILTIN\Administrators, True, True, True, True
A: NT AUTHORITY\SYSTEM, True, True, True, True
A: BUILTIN\Users, False, True, True, False
A: NT AUTHORITY\Authenticated Users, False, True, True, True
A: NT AUTHORITY\Authenticated Users, False, False, False, False
T: 3.221 ms
I: plural ( security identifier, boolean, boolean, boolean, boolean )
You can check the other (more detailed) permissions that you can retrieve at https://developer.bigfix.com/relevance/reference/access-control-list.html
Guys,
This is what I came up, let me know if it makes sense.
if {effective write permission for “Everyone” of dacls of security descriptors of folder “c:\soft”}
waithidden cmd.exe /C cacls.exe C:\soft /E /G Everyone:R
endif
The /E makes cacls edit permissions, so you’d be adding READ but not taking away WRITE.
If you have a set of permissions you want you’d probably do something to set all the permissions, overwriting existing, like
waithidden cmd.exe /C cacls.exe C:\soft /G Everyone:R /G Administrators:F /G "NT Authority\SYSTEM":F
Perfect! Thanks everyone…
Jason, it would be nice to create an analysis query to get the folder permission for a given user. That way one can target specific computers with the folder or file permission set wrong.
Sure, it would be. That’s a loaded question though. You could mean three different things -
I can help you build a relevance for number 3 here, that you could modify slightly to handle cases 1 or 2 as well. To compare all the entries at once, it’s probably easiest to deal with it in native SDDL form. One a reference machine, set the permissions exactly as you want them and then retrieve the SDDL value:
q: dacls of security descriptors of folder "c:\temp"
A: D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)
T: 0.967 ms
I: plural discretionary access control list
Then you could use this in an Analysis or Fixlet Relevance to compare systems to your reference value:
q: exists folder "C:\temp" whose (exists dacls whose (it as string != "D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)") of security descriptors of it)
A: False
T: 1.022 ms
I: singular boolean