1 2 Previous Next 16 Replies Latest reply on Jan 5, 2015 3:13 AM by Monoj Padhy

    Compliance check on File permissions using BSA

    Roy Ong

      Hi,

       

      Im trying to do a file permissions compliance check on a file, example: %SystemRoot%\system32\arp.exe.

       

      I need that file to have these permissions to be compliant.

      TrustedInstaller: Full Control

      Administrators: Read & Execute

        SYSTEM: Read & Execute

       

      How do i create the compliance rule check on BSA? I tried the below but it does not seem to work as it flags it as non-compliant, the right value supposed to be the same as the left value

       

      "File:??TARGET.SYSTEMROOT??/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" =

       

      ["NT SERVICE\TrustedInstaller Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership, File Synchronize]", "BUILTIN\Administrators Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "NT AUTHORITY\SYSTEM Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "BUILTIN\Users Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"]

       

      Please help and thanks in advance

        • 1. Re: Compliance check on File permissions using BSA

          Have you tried using contains condition ?

           

          "File:File:??TARGET.SYSTEMROOT??/System32/ARP.EXE" exists  AND

          (  "File:??TARGET.SYSTEMROOT??/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" contains "NT SERVICE\TRUSTEDINSTALLER Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership]"  OR

             "File:??TARGET.SYSTEMROOT??/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" contains "NT SERVICE\TRUSTEDINSTALLER Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions]"  OR

             "File:??TARGET.SYSTEMROOT??/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" contains "BUILTIN\Users Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes]"

          )

          • 2. Re: Compliance check on File permissions using BSA
            Roy Ong

            Hi Patil, i tried your suggestion on using the contains condition on 3 seperate lines, seems im still getting non-compliant results. Have you tried on yours? Are you getting the same?

             

            Thanks

            • 3. Re: Compliance check on File permissions using BSA

              Can you copy "Expected" and "Actual" values from BSA and share ?

              • 4. Re: Compliance check on File permissions using BSA
                Roy Ong

                Actual values

                 

                "File:/C/Windows/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" [["NT SERVICE\TrustedInstaller Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership, File Synchronize]", "BUILTIN\Administrators Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "NT AUTHORITY\SYSTEM Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "BUILTIN\Users Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"]]

                 

                Expected values

                (

                TrustedInstaller: Full Control

                Administrators: Read & Execute

                  SYSTEM: Read & Execute)

                 

                contains "NT AUTHORITY\SYSTEM Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"

                 

                contains "NT SERVICE\TRUSTEDINSTALLER Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership, File Synchronize]"

                 

                "BUILTIN\ADMINISTRATORS Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"

                • 5. Re: Compliance check on File permissions using BSA
                  Bill Robinson

                  can you show a screenshot of the rule and the result or test result panes ?

                  • 6. Re: Compliance check on File permissions using BSA
                    Roy Ong

                    Hi Bill,

                    Please see the attached screenshotscompliancefile1.jpgcompliancefile2.jpg

                     

                    File permission compliance rule:

                    "File:??TARGET.SYSTEMROOT??/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" = ["NT SERVICE\TrustedInstaller Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership, File Synchronize]", "BUILTIN\Administrators Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "NT AUTHORITY\SYSTEM Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "BUILTIN\Users Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"]

                     

                    Actual value (left value)

                    "File:/C/Windows/System32/ARP.EXE"."Permission ACL (Windows NTFS) (Windows)" [["NT SERVICE\TrustedInstaller Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders and Files, Delete, Read Permissions, Change Permissions, Take Ownership, File Synchronize]", "BUILTIN\Administrators Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "NT AUTHORITY\SYSTEM Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]", "BUILTIN\Users Allow [Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, File Synchronize]"]]

                    • 7. Re: Compliance check on File permissions using BSA

                      Can you try using contains operator in place of "="

                      • 8. Re: Compliance check on File permissions using BSA
                        Roy Ong

                        Yes I have tried using contains, split up as shown in my earlier post. It doesn't seem to work. I also tried using contains, it flags out non complaint even for checking only for just one user permission. Does it work for u?

                         

                        Thanks.

                        Regards

                        Roy

                        • 9. Re: Compliance check on File permissions using BSA

                          I see additional [] for Actual values than expected ones.

                          • 10. Re: Compliance check on File permissions using BSA
                            Bill Robinson

                            it looks like they both match, so i'm not sure why it's failing.  can you run the job w/ the DEBUG_MODE_ENABLED property set to true, and then grab the job run debug logs from NSH/tmp on the appserver(s) that ran the job ?  that might show more info.

                            • 11. Re: Compliance check on File permissions using BSA
                              Roy Ong

                              Hi Bill,

                               

                              Im was using the test compliance rule option to test if the rules is correct and working. So are you suggesting i should use a compliance job, turn on debug and run that rule on a server?

                              • 12. Re: Compliance check on File permissions using BSA
                                Bill Robinson

                                Yep.  that might give us more info about why there is a failure – I don’t see why it’s failing because the lhs and rhs look the same to me.

                                • 13. Re: Compliance check on File permissions using BSA
                                  Joe Piotrowski

                                  I see additional [] for Actual values than expected ones.

                                  Did you check this? Sometimes when I modify Rules extra characters like this get inserted.

                                  • 14. Re: Compliance check on File permissions using BSA
                                    Roy Ong

                                    hmm, i somehow got it to work. When i saved the rules, ran the discovery and compliance job, that specific rule showed as compliant. So somehow when i was testing the rule, it didn't work until i ran discovery and created the components for compliance... Is this the intended behavior? I thought just testing out the rules should not behave as such,otherwise it just defeats the purpose of doing the testing. Can you guys try running that testing like mine (without running discovery above to see if it concurs with mine? thanks

                                    1 2 Previous Next