FILE_PERMISSIONS
This policy item checks if the FILE_PERMISSIONS ACL is correct. The check is performed by calling the function GetSecurityInfo with level 7 on the file handle.
Note: This check requires remote registry access for the remote Windows system to function properly.
Usage
<custom_item>
type: FILE_PERMISSIONS
description: ["description"]
value_type: [value_type]
value_data: [value]
(optional) check_type: [value]
file: ["filename"]
(optional) acl_option: [acl_option]
</custom_item>
The allowed type is:
value_type: FILE_ACL
value_data: "ACLname"
file: "PATH\Filename"
The following predefined paths can be used in the file/folder name:
%allusersprofile%
%windir%
%systemroot%
%commonfiles%
%programfiles%
%systemdrive%
%systemdirectory%
When using this audit, please note the following:
- The
filefield must include the full path to the file or folder name (e.g.,C:\WINDOWS\SYSTEM32) or make use of the above path keywords. If using path keywords, the remote registry must be enabled to allow Nessus to determine the path variable values. - The
value_datafield is the name of an ACL defined in the policy file. - The
acl_optionfield can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the file does not exist.
Examples
<file_acl: "ACL1">
<user: "Administrators">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "Full Control"
</user>
<user: "System">
acl_inheritance: "not inherited"
acl_apply: "This object only"
acl_allow: "Full Control"
</user>
</acl>
<custom_item>
type: FILE_PERMISSIONS
description: "Permissions for C:\WINDOWS\SYSTEM32"
value_type: FILE_ACL
value_data: "ACL1"
file: "C:\WINDOWS\SYSTEM32"
</custom_item>
<custom_item>
type: FILE_PERMISSIONS
description: "Permissions for C:\WINDOWS\SYSTEM32"
value_type: FILE_ACL
value_data: "ACL1"
file: "%SystemRoot%\SYSTEM32"
</custom_item>
When the above check is executed, the compliance module will check if the permissions defined for %SystemRoot%\SYSTEM32 match the ones described in file_acl ACL1.