FILE_AUDIT

This policy item is used to check the audit properties (Properties –> Security –> Advanced –> Auditing) of a file or folder using the specified ACL. This check is performed by calling the function GetSecurityInfo with level SACL_SECURITY_INFORMATION on the file handle.

Note: This check requires remote registry access for the remote Windows system to function properly.

Usage

<custom_item>

type: FILE_AUDIT

description: ["description"]

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

file: ["filename"]

(optional) acl_option: [acl_option]

</custom_item>

The allowed type is:

value_type: FILE_ACL

value_data: "ACLname"

file: "PATH\Filename"

The following predefined paths can be used in the file/folder name:

%allusersprofile%

%windir%

%systemroot%

%commonfiles%

%programfiles%

%systemdrive%

%systemdirectory%

When using this audit, please note the following:

  • The file field must include the full path to the file or folder name (e.g., C:\WINDOWS\SYSTEM32) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values.
  • The value_data field is the name of the ACL defined in the policy file.
  • The acl_option field can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the file does not exist.
  • The acl_allow and acl_deny fields correspond to “Successful” and “Failed” audit events.

Example

<check_type: "Windows" version:"2">

<group_policy: "Audits SYSTEM32 directory for correct auditing permissions">

 

<file_acl: "ACL1">

<user: "Everyone">

acl_inheritance: "not inherited"

acl_apply: "This folder, subfolders and files"

acl_deny: "full control"

acl_allow: "full control"

</user>

</acl>

 

<custom_item>

type: FILE_AUDIT

description: "Audit for C:\WINDOWS\SYSTEM32"

value_type: FILE_ACL

value_data: "ACL1"

file: "%SystemRoot%\SYSTEM32"

</custom_item>

 

</group_policy>

</check_type>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.