FILE_AUDIT
This policy item is used to check the audit properties (Properties –> Security –> Advanced –> Auditing) of a file or folder
using the specified ACL. This check is performed by calling the function GetSecurityInfo
with level
SACL_SECURITY_INFORMATION on the file handle.
Note: This check requires remote registry access for the remote Windows system to function properly.
Usage
<custom_item>
type: FILE_AUDIT
description: ["description"]
value_type: [value_type]
value_data: [value]
(optional) check_type: [value]
file: ["filename"]
(optional) acl_option: [acl_option]
</custom_item>
The allowed type is:
value_type: FILE_ACL
value_data: "ACLname"
file: "PATH\Filename"
The following predefined paths can be used in the file/folder name:
%allusersprofile%
%windir%
%systemroot%
%commonfiles%
%programfiles%
%systemdrive%
%systemdirectory%
When using this audit, please note the following:
- The
file
field must include the full path to the file or folder name (e.g.,C:\WINDOWS\SYSTEM32
) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values. - The
value_data
field is the name of the ACL defined in the policy file. - The
acl_option
field can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the file does not exist. - The
acl_allow
andacl_deny
fields correspond to “Successful” and “Failed” audit events.
Example
<check_type: "Windows" version:"2">
<group_policy: "Audits SYSTEM32 directory for correct auditing permissions">
<file_acl: "ACL1">
<user: "Everyone">
acl_inheritance: "not inherited"
acl_apply: "This folder, subfolders and files"
acl_deny: "full control"
acl_allow: "full control"
</user>
</acl>
<custom_item>
type: FILE_AUDIT
description: "Audit for C:\WINDOWS\SYSTEM32"
value_type: FILE_ACL
value_data: "ACL1"
file: "%SystemRoot%\SYSTEM32"
</custom_item>
</group_policy>
</check_type>