SERVICE_PERMISSIONS
This policy item checks if the service ACL is correct. The check is performed by calling the function QueryServiceObjectSecurity on the service handle.
Usage
<custom_item>
type: SERVICE_PERMISSIONS
description: ["description"]
value_type: [value_type]
value_data: [value]
(optional) check_type: [value]
service: ["servicename"]
(optional) acl_option: [acl_option]
</custom_item>
The allowed type is:
value_type: SERVICE_ACL
value_data: "ACLname"
service: "ServiceName"
When using this audit, please note the following:
- The
value_datafield is the name of an ACL defined in the policy file. - The
acl_optionfield can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.
Example
<service_acl: "ACL3">
<user: "Administrators">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"
</user>
<user: "SYSTEM">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"
</user>
<user: "Interactive">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "query template" | "query status" | "enumerate dependents" | "interrogate" | "user-defined control" | "read permissions"
</user>
<user: "Everyone">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "query template" | "change template" | "query status" | "enumerate dependents" | "start" | "stop" | "pause and continue" | "interrogate" | "user-defined control" | "delete" | "read permissions" | "change permissions" | "take ownership"
</user>
</acl>
<custom_item>
type: SERVICE_PERMISSIONS
description: "Permissions for Alerter Service"
value_type: SERVICE_ACL
value_data: "ACL3"
service: "Alerter"
</custom_item>
When the above check is executed, the compliance module will check if the permissions defined for alerter service match the ones described in service_acl ACL3.