I have the below code…
In short it takes a copy of the existing audits in windows and then compares them to the required values that are stored in a hash table.
I had an after though that I would want to add the security section in the ‘add-content…’ section. I’m not sure how to do this though.
So say “Logon” = “Success and Failure”; section number would be like “Section 1.8.5”
Can anyone suggest how I might best complete this?
I added the $section variable to show where I would like the output to show up.
#array to section numbers for the hash $dvHash = @{ "Credential Validation" = "Success and Failure"; "Kerberos Service Ticket Operations" = "Success and Failure"; "Other Account Logon Events" = "Success and Failure"; "Kerberos Authentication Service" = "Success and Failure"; "Account Lockout" = "Success and Failure"; "Logon" = "Success and Failure"; "Logoff" = "Success and Failure"; "IPsec Main Mode" = "Success and Failure"; "IPsec Quick Mode" = "Success and Failure"; "IPsec Extended Mode" = "Success and Failure"; "Special Logon" = "Success and Failure"; "Other Logon/Logoff Events" = "Success and Failure"; "Network Policy Server" = "Success and Failure"; "User Account Management" = "Success and Failure"; "Computer Account Management" = "Success and Failure"; "Security Group Management" = "Success and Failure"; "Distribution Group Management" = "Success and Failure"; "Application Group Management" = "Success and Failure"; "Other Account Management Events" = "Success and Failure"; "Directory Service Access" = "Failure"; "Directory Service Changes" = "Failure"; "Directory Service Replication" = "Failure"; "Detailed Directory Service Replication" = "Failure"; "File System" = "Failure"; "Registry" = "Failure"; "Detailed File Share" = "Failure"; "Audit Policy Change" = "Success and Failure"; "Kernel Object" = "Failure"; "Filtering Platform Policy Change" = "Success and Failure"; "Authentication Policy Change" = "Success and Failure"; "MPSSVC Rule-Level Policy Change" = "Success and Failure"; "SAM" = "Failure"; "Security State Change" = "Failure"; "Security System Extension" = "Failure"; "Other Policy Change Events" = "Success and Failure"; "System Integrity" = "Failure"; "IPsec Driver" = "Failure"; "Other Privilege Use Events" = "Success and Failure"; "Certification Services" = "Failure"; "Sensitive Privilege Use" = "Success and Failure"; "Non Sensitive Privilege Use" = "Success and Failure"; "Application Generated" = "Failure"; "Handle Manipulation" = "Failure"; "File Share" = "Failure"; "Other System Events" = "Failure"; "Filtering Platform Packet Drop" = "Failure"; "Filtering Platform Connection" = "Failure"; "Other Object Access Events" = "Failure"; "Authorization Policy Change"="Success and failure" } $audithash = @{} foreach( $string in ((auditpol /get /category:*) -match '\s\s+' -NotMatch 'Setting'-replace '^\s+([a-zA-Z0-9\s-\\\/(\)?]+\b)\s\s+([a-zA-Z0-9\s]+)', '$1 = $2')) { $audithash += ConvertFrom-StringData -StringData $string } } foreach($dvh in $dvhash.keys) { if($dvhash[$dvh] -like "*" + $audithash[$dvh] + "*" -or $audithash[$dvh] -like "*" + $dvhash[$dvh] + "*") { $dv = $dvh + ": " + $dvhash[$dvh] $mv = "$dvh is set to " + $audithash[$dvh] $state = "Passed" add-content ScanResults.csv "$section!WinMulti!$svr!$os!$ls!Log Access Attempts!Audit Subcategory $dvh WIN-MULTI!$state!$mv!$dv !$notes } else { $dv = $dvh + ": " + $dvhash[$dvh] $mv = "$dvh is set to " + $audithash[$dvh] $state = "Failed" add-content ScanResults.csv "$section!WinMulti!$svr!$os!$ls!Log Access Attempts!Audit Subcategory $dvh WIN-MULTI!$state!$mv!$dv !$notes } }