Setting up Audit rules with PS

PowerShell Help
1

Where I work we have several security policies, which include the auditing of certain folders. Below is a script I’m working on, the $folders variable will contain many system folders such as “c:\windows”, c:\windows\system32 etc.

Can anyone forsee an issue with the below script? (It should just run through and put the everyone group in the failure audit with all boxes checked)

Also, is there a way to display the folder’s auditing policy? I tried ($folder | get-acl).getauditrules but it just displays the method properties.

I would like to also be able to pull a report that would say like

folder, audit policies
c:\test, failure - everyone - full control

Thanks for the assistance in advance!

$folders = “C:\test”
$User = “Everyone”
$Rules = “FullControl”
$InheritType = “None”
$AuditType = “Failure”
$hostn = hostname

write-host “$hostn”
foreach($folder in $folders)
{
$ACL = new-object System.Security.AccessControl.DirectorySecurity
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,“None”,$AuditType)
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $Folder
write-host “Setting Audit Rules on $folder”

}

2

The only thing I would worry about is that you might be overwriting more than you intended, by creating a new DirectorySecurity object from scratch. (This would require some testing; see if your DACL, Owner, etc are still intact after running your code as-is.)

You could try this instead, as a way of avoiding that problem:

foreach($folder in $folders)
{
    try
    {
        $ACL = $folder | Get-Acl -Audit -ErrorAction Stop

        $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($user,$Rules,$InheritType,"None",$AuditType)
        $ACL.SetAuditRule($AccessRule)
        $ACL | Set-Acl $Folder -ErrorAction Stop
        write-host "Setting Audit Rules on $folder"
    }
    catch
    {
        Write-Error -ErrorRecord $_
    }
}
3

Thanks! Looks pretty good. I’m not too worried about over writting any audting on these folders for the ‘everyone group’, as it will always be non-existant or less than ‘fullcontrol’ which is required to be compliant to our security doc.

Thanks again sir!