PowerShell / C#SetAuditRuleProtection()在某些文件夹上不起作用
[英]PowerShell / C# SetAuditRuleProtection() Not Working On Some Folders
问题描述
我已经为此进行了一段时间的战斗,找不到解释。 我正在尝试在目录中启用审核规则的继承。 在此示例中,我在c:\\Program Files\\Microsoft SQL Server\\MSSQL12.NEWINSTANCE上设置审核规则,并传播到所有子项。 目录c:\\Program Files\\Microsoft SQL Server\\MSSQL12.NEWINSTANCE\\MSSQL\\Backup通过继承获取审核规则,但Logs目录却没有。 这是我用来启用继承的代码片段:
$Path = "C:\Program Files\Microsoft SQL Server\MSSQL12.NEWINSTANCE\MSSQL\Log"
[System.IO.DirectoryInfo]$Info = New-Object -TypeName System.IO.DirectoryInfo($Path)
[System.Security.AccessControl.DirectorySecurity]$Acl = $Info.GetAccessControl()
$Acl.SetAuditRuleProtection($false, $false)
$Info.SetAccessControl($Acl)
我尝试了多种组合,包括Get-Acl , Set-Acl , (Get-Item -Path $Path).GetAccessControl()等。看来我可以禁用继承并删除规则,但不能禁用继承并保留现有规则(通过修改SetAuditRuleProtection的参数)。
如果我通过GUI来完成所有这些工作,那么我不认为这是目录或权限的问题。 任何想法/想法都将受到欢迎。
2 个解决方案
解决方案1
0 2017-06-07 16:41:26
对我来说,诀窍是您不能在当前没有SACL(系统访问控制列表,也称为审核规则)的文件夹或文件上执行此操作。 我编写了一个在父级上设置规则的函数,然后递归遍历所有子级以设置规则,确保其被继承,然后删除多余的规则。
<#
.SYNOPSIS
Sets auditing on the file or folder.
.DESCRIPTION
Implements a File System Audit Rule on the file or folder.
.PARAMETER Path (Required)
Specifies the file or folder on which to apply the audit rule.
.PARAMETER Principal (Required)
Specifies the NTAccount name.
.PARAMETER Success (Optional, Required if "Failure" not present)
Specifies to implement an audit rule for successes.
.PARAMETER Failure (Optional, Required if "Success" not present)
Specifies to implement an audit rule for failures.
.PARAMETER Flags (Required)
This is an array of two integers that indicate what to apply the audit rule to and what type of recursion should be used.
Inheritance, Propagation:
This folder only = 0,0
This folder, subfolders and files = 3,0
This folder and subfolders = 1,0
This folder and files = 2,0
Subfolders and files only = 3,2
Subfolders only = 1,2
Files only = 2,3
.EXAMPLE
Set-Auditing
#>
function Set-Auditing {
[CmdletBinding(SupportsShouldProcess=$true)]
Param([Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Path,
[Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateNotNullOrEmpty()] [string]$Principal,
[Parameter(Mandatory=$true, ValueFromPipeline=$false)] [ValidateSet("AppendData","ChangePermissions","CreateDirectories","CreateFiles","Delete","DeleteSubdirectoriesAndFiles","ExecuteFile","FullControl","ListDirectory","Modify","Read","ReadAndExecute","ReadAttributes","ReadData","ReadExtendedAttributes","ReadPermissions","Synchronize","TakeOwnership","Traverse","Write","WriteAttributes","WriteData","WriteExtendedAttributes")] [string[]]$Rights,
[Parameter(Mandatory=$true, ValueFromPipeline=$false, ParameterSetName="Both")]
[Parameter(Mandatory=$true, ValueFromPipeline=$false, ParameterSetName="Success")] [switch]$Success,
[Parameter(Mandatory=$true, ValueFromPipeline=$false, ParameterSetName="Both")]
[Parameter(Mandatory=$true, ValueFromPipeline=$false, ParameterSetName="Failure")] [switch]$Failure,
[Parameter(Mandatory=$true, ValueFromPipeline=$false)] [int[]]$Flags)
Begin {
# Determine if audit rule exists
if ($Success.IsPresent) { $AuditFlags=1 } else { $AuditFlags=0 }
if ($Failure.IsPresent) { $AuditFlags+=2 }
# Inheritance Flags
# This folder only = 0
# This folder, subfolders and files = 3
# This folder and subfolders = 1
# This folder and files = 2
# Subfolders and files only = 3
# Subfolders only = 1
# Files only = 2
# Propagation Flags
# This folder only = 0
# This folder, subfolders and files = 0
# This folder and subfolders = 0
# This folder and files = 0
# Subfolders and files only = 2
# Subfolders only = 2
# Files only = 2
# File System Rights
$fsrAppendData =0x000004
$fsrChangePermissions =0x040000
$fsrCreateDirectories =0x000004
$fsrCreateFiles =0x000002
$fsrDelete =0x010000
$fsrDeleteSubdirectoriesAndFiles=0x000040
$fsrExecuteFile =0x000020
$fsrFullControl =0x1F01FF
$fsrListDirectory =0x000001
$fsrModify =0x0301BF
$fsrRead =0x020089
$fsrReadAndExecute =0x0200A9
$fsrReadAttributes =0x000080
$fsrReadData =0x000001
$fsrReadExtendedAttributes =0x000008
$fsrReadPermissions =0x020000
$fsrSynchronize =0x100000
$fsrTakeOwnership =0x080000
$fsrTraverse =0x000020
$fsrWrite =0x000116
$fsrWriteAttributes =0x000100
$fsrWriteData =0x000002
$fsrWriteExtendedAttributes =0x000010
$RightValues=0
for ($i=0; $i -lt $Rights.Count; $i++) {
switch ($Rights[$i]) {
"AppendData" { $RightValues=$RightValues -bor $fsrAppendData }
"ChangePermissions" { $RightValues=$RightValues -bor $fsrChangePermissions }
"CreateDirectories" { $RightValues=$RightValues -bor $fsrCreateDirectories }
"CreateFiles" { $RightValues=$RightValues -bor $fsrCreateFiles }
"Delete" { $RightValues=$RightValues -bor $fsrDelete }
"DeleteSubdirectoriesAndFiles" { $RightValues=$RightValues -bor $fsrDeleteSubdirectoriesAndFiles }
"ExecuteFile" { $RightValues=$RightValues -bor $fsrExecuteFile }
"FullControl" { $RightValues=$RightValues -bor $fsrFullControl }
"ListDirectory" { $RightValues=$RightValues -bor $fsrListDirectory }
"Modify" { $RightValues=$RightValues -bor $fsrModify }
"Read" { $RightValues=$RightValues -bor $fsrRead }
"ReadAndExecute" { $RightValues=$RightValues -bor $fsrReadAndExecute }
"ReadAttributes" { $RightValues=$RightValues -bor $fsrReadAttributes }
"ReadData" { $RightValues=$RightValues -bor $fsrReadData }
"ReadExtendedAttributes" { $RightValues=$RightValues -bor $fsrReadExtendedAttributes }
"ReadPermissions" { $RightValues=$RightValues -bor $fsrReadPermissions }
"Synchronize" { $RightValues=$RightValues -bor $fsrSynchronize }
"TakeOwnership" { $RightValues=$RightValues -bor $fsrTakeOwnership }
"Traverse" { $RightValues=$RightValues -bor $fsrTraverse }
"Write" { $RightValues=$RightValues -bor $fsrWrite }
"WriteAttributes" { $RightValues=$RightValues -bor $fsrWriteAttributes }
"WriteData" { $RightValues=$RightValues -bor $fsrWriteData }
"WriteExtendedAttributes" { $RightValues=$RightValues -bor $fsrWriteExtendedAttributes }
}
}
Write-Verbose "Acquiring object $($FS.FullName)"
$FS=Get-Item -Path $Path
$ACL=Get-Acl -Path $Path -Audit
$NothingToDo=$false
for ($i=0; $i -lt $ACL.Audit.Count; $i++) {
if ($ACL.Audit[$i].IdentityReference.Value -eq $Principal) {
if ($ACL.Audit[$i].AuditFlags.value__ -eq $AuditFlags) {
if ($ACL.Audit[$i].PropagationFlags.value__ -eq $Flags[1]) {
if ($ACL.Audit[$i].InheritanceFlags.value__ -eq $Flags[0]) {
if ($ACL.Audit[$i].FileSystemRights.value__ -eq $RightValues) { $NothingToDo=$true; Write-Verbose "Nothing to do" }
}
}
}
}
}
}
Process {
if (!$NothingToDo) {
# There is one case where we will not propagage the rules. This is when $Flags = 0,0
if (($Flags[0] -eq 0) -and ($Flags[1] -eq 0)) { Write-Verbose "Flags = 0,0; no propagation necessary." }
else {
Write-Verbose "Setting Audit Rule"
if ($Principal.Contains("\")) { $NTAccount=New-Object System.Security.Principal.NTAccount(($Principal.Split("\"))[0],($Principal.Split("\"))[1]) }
else { $NTAccount=New-Object System.Security.Principal.NTAccount($Principal) }
$FSAR=New-Object System.Security.AccessControl.FileSystemAuditRule($NTAccount,$RightValues,$Flags[0],$Flags[1],$AuditFlags)
$FAR=New-Object System.Security.AccessControl.FileSystemAuditRule($NTAccount,$RightValues,$AuditFlags)
$ACL.AddAuditRule($FSAR)
$ACL.SetAuditRuleProtection($false, $true)
Write-Verbose "Applying rule to $($ACL.Path.Replace('Microsoft.PowerShell.Core\FileSystem::',''))"
$FS.SetAccessControl($ACL)
# Now, ensure that all folders and files have inheritance enabled.
$FS=Get-ChildItem -Path $Path -Recurse
$FS=@($FS)
for ($i=0; $i -lt $FS.Count; $i++) {
Write-Verbose "Acquiring object $($FS[$i].FullName)"
$ACL=Get-Acl -Path $FS[$i].FullName -Audit
if (Test-Path $ACL.Path -PathType Leaf) { $ACL.AddAuditRule($FAR) } else { $ACL.AddAuditRule($FSAR) }
$ACL.SetAuditRuleProtection($false, $true)
$FS[$i].SetAccessControl($ACL)
Write-Verbose "Applying rule to $($ACL.Path.Replace('Microsoft.PowerShell.Core\FileSystem::',''))"
if (Test-Path $ACL.Path -PathType Leaf) { $ACL.RemoveAuditRule($FAR) > $null } else { $ACL.RemoveAuditRule($FSAR) > $null }
Write-Verbose "Removing extra rule from $($ACL.Path)"
$FS[$i].SetAccessControl($ACL)
}
}
}
else { Write-Verbose "Nothing to do." }
}
}
解决方案2
0 2018-10-17 18:59:28
据我了解,在网上无处不在,除非有审计规则(它不能很好地处理$ null值),否则无法重置审计继承。 因此,在您的情况下,它应类似于:
# Temporary audit rule just to make sure it is not null. (otherwhise won't work)
$tmpAR= New-Object System.Security.AccessControl.FileSystemAuditRule(
'Everyone',
[System.Security.AccessControl.FileSystemRights]::Delete,
[System.Security.AccessControl.AuditFlags]::Success
)
$Acl.SetAuditRule($tmpAR)
$Acl.SetAuditRuleProtection($false, $false)
# Don't forget the Set-ACL at the end
Set-ACL -Path $Path -AclObject $Acl
就我而言,这行得通。
注意:我曾经获得过ACL:$ Acl = Get-ACL -Path $ Path -Audit
跳此帮助。
使用Powershell或C#提取Azure'文件和文件夹'作业状态
[英]fetch Azure 'Files and folders' Job status using Powershell or C#
Cmdlet 在 Powershell 上工作,但它不通过 C# 工作
[英]Cmdlet is working on Powershell but it is not working through C#
C# 文件夹创建不是创建所有文件夹,而是仅在某些机器上
[英]C# Folder creation not creating all folders, but only on some machines
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.