Objective
- Changes to the permissions on files could block security settings from being applied.
- Changes to the permissions on files could leak sensitive information.
- Changes to the permissions on files could lead to a system compromise.
- Audit files.
Manual audit with powershell
View the permission on the application log file with powershell
get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Owner : NT AUTHORITY\LOCAL SERVICE
Group : NT AUTHORITY\LOCAL SERVICE
Access : NT SERVICE\EventLog Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;
BA) |
get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Owner : NT AUTHORITY\LOCAL SERVICE
Group : NT AUTHORITY\LOCAL SERVICE
Access : NT SERVICE\EventLog Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;
BA)
Audit with Nessus auditfile
<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
</acl>
<custom_item>
type: FILE_PERMISSIONS
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"
</custom_item>
</group_policy>
</check_type> |
<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
</acl>
<custom_item>
type: FILE_PERMISSIONS
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"
</custom_item>
</group_policy>
</check_type>
Error
Running this auditfile with this specific file results into an error because the file has a file lock.
Windows Compliance Checks, version 1.263
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx |
Windows Compliance Checks, version 1.263
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Alternative approach
We can use the powershell command-let get-acl to perform the audit.
We run the command and filter out the known good values.
get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" } |
get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" }
New Nessus Auditfile Check
<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
<custom_item>
type : AUDIT_POWERSHELL
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL
</custom_item>
</group_policy>
</check_type> |
<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
<custom_item>
type : AUDIT_POWERSHELL
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL
</custom_item>
</group_policy>
</check_type>
References
- V-63533 – Permissions for the Application event log must prevent access by non-privileged accounts.
- V-63537 – Permissions for the Security event log must prevent access by non-privileged accounts.
- V-63541 – Permissions for the System event log must prevent access by non-privileged accounts
