Difference between revisions of "Filesystem Audit Powershell"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
</pre> | </pre> | ||
The full script I pulled together so far will create a CSV file<ref>https://stackoverflow.com/questions/20858133/output-powershell-variables-to-a-text-file</ref>, a row dedicated to each user/group permission. The main issue at this point is running into directories that are longer than 260 characters<ref>https://arstechnica.com/civis/viewtopic.php?t=1330043</ref>. I am running PS 5.0 and it appears I can not use unicode paths unless I upgrade to 5.1. | The full script I pulled together so far will create a CSV file<ref>https://stackoverflow.com/questions/20858133/output-powershell-variables-to-a-text-file</ref>, a row dedicated to each user/group permission. The main issue at this point is running into directories that are longer than 260 characters<ref>https://arstechnica.com/civis/viewtopic.php?t=1330043</ref>. I am running PS 5.0 and it appears I can not use unicode paths unless I upgrade to 5.1. | ||
+ | <br> | ||
+ | <br> | ||
+ | *NOTE : In the example below, it is important to note that you must use "\\?\UNC\" before your UNC path. This specifies that you are using a UNC path and must not be omitted. | ||
<pre> | <pre> | ||
− | $directorylist=dir -Recurse -Directory \\network-share\directory | select fullname | + | $date1=date |
− | "Directory|User_Group|Allow_Deny|Permissions|Inherited|Propagation" | Out-File | + | $outfiledest="permtest2.txt" |
+ | $directorylist=dir -Recurse -Directory -LiteralPath '\\?\UNC\network-share\directory\' | select fullname | ||
+ | "Directory|User_Group|Allow_Deny|Permissions|Inherited|Propagation" | Out-File $outfiledest | ||
$directorylist | foreach { | $directorylist | foreach { | ||
− | $directoryname=$_.fullname | + | $directoryname=($_.fullname) -replace '\\\?\\UNC','' |
$perms=(Get-Item $directoryname).GetAccessControl() | select -ExpandProperty access | $perms=(Get-Item $directoryname).GetAccessControl() | select -ExpandProperty access | ||
− | |||
$perms | foreach { | $perms | foreach { | ||
$user= $_ | select -ExpandProperty identityreference | $user= $_ | select -ExpandProperty identityreference | ||
Line 24: | Line 28: | ||
$inherit=$_ | select -ExpandProperty isinherited | $inherit=$_ | select -ExpandProperty isinherited | ||
$prop=$_ |select -ExpandProperty propagationflags | $prop=$_ |select -ExpandProperty propagationflags | ||
− | "$directoryname|$user|$allowdeny|$permissions|$inherit|$prop" | Out-File -Append | + | "$directoryname|$user|$allowdeny|$permissions|$inherit|$prop" | Out-File -Append $outfiledest |
} | } | ||
} | } | ||
+ | $date2=date | ||
+ | $span=new-timespan -start $date1 -End $date2 | ||
+ | $hours=$span.Hours | ||
+ | $minutes=$span.Minutes | ||
+ | $seconds=$span.seconds | ||
+ | echo "$hours $minutes $seconds" | ||
</pre> | </pre> | ||
Next step is to convert to use a MySQL database. | Next step is to convert to use a MySQL database. | ||
==Issues== | ==Issues== | ||
− | One issue is the limited Windows API call that maxes out at 260 characters. This is a well documented problem that requires the use of unicode paths<https://blogs.msdn.microsoft.com/bclteam/2007/02/13/long-paths-in-net-part-1-of-3-kim-hamilton/</ref> | + | One issue is the limited Windows API call that maxes out at 260 characters. This is a well documented problem that requires the use of unicode paths<ref>https://blogs.msdn.microsoft.com/bclteam/2007/02/13/long-paths-in-net-part-1-of-3-kim-hamilton/</ref><ref>https://stackoverflow.com/questions/46308030/handling-path-too-long-exception-with-new-psdrive/46309524</ref> |
==Other Notes== | ==Other Notes== |
Latest revision as of 10:04, 25 February 2019
WIP, just throwing things down on paper at the moment.
Contents
Purpose
To generate a list of permissions on a network share, dump to database, compare to list of users from AD, generate reports as to what users have access too.
Process
This was a an uphill battle trying to re-learn objects (It has been a while since my last need for powershell). Trying to desing a new domain forest and security groups caused me to need to understand the current deployment. The idea with the current desing was to keep things simple, but business requirements got out of hand. [1]
(get-item \\network-share\directory).GetAccessControl() | select -ExpandProperty access | select identityreference,filesystemrights,isinherited
The full script I pulled together so far will create a CSV file[2], a row dedicated to each user/group permission. The main issue at this point is running into directories that are longer than 260 characters[3]. I am running PS 5.0 and it appears I can not use unicode paths unless I upgrade to 5.1.
- NOTE : In the example below, it is important to note that you must use "\\?\UNC\" before your UNC path. This specifies that you are using a UNC path and must not be omitted.
$date1=date $outfiledest="permtest2.txt" $directorylist=dir -Recurse -Directory -LiteralPath '\\?\UNC\network-share\directory\' | select fullname "Directory|User_Group|Allow_Deny|Permissions|Inherited|Propagation" | Out-File $outfiledest $directorylist | foreach { $directoryname=($_.fullname) -replace '\\\?\\UNC','' $perms=(Get-Item $directoryname).GetAccessControl() | select -ExpandProperty access $perms | foreach { $user= $_ | select -ExpandProperty identityreference $allowdeny=$_ | select -ExpandProperty accesscontroltype $permissions=$_ | select -ExpandProperty filesystemrights $inherit=$_ | select -ExpandProperty isinherited $prop=$_ |select -ExpandProperty propagationflags "$directoryname|$user|$allowdeny|$permissions|$inherit|$prop" | Out-File -Append $outfiledest } } $date2=date $span=new-timespan -start $date1 -End $date2 $hours=$span.Hours $minutes=$span.Minutes $seconds=$span.seconds echo "$hours $minutes $seconds"
Next step is to convert to use a MySQL database.
Issues
One issue is the limited Windows API call that maxes out at 260 characters. This is a well documented problem that requires the use of unicode paths[4][5]
Other Notes
I ran into a FileSystemRights setting called Synchronize[6]. This is important to sync the contents of containers with the container. In other words this allows you to be able to open the contents using the path provided. Or something like that.
For matching regex[7]
- ↑ https://blogs.technet.microsoft.com/zarkatech/2012/01/14/audit-file-server-permissions-using-powershell/
- ↑ https://stackoverflow.com/questions/20858133/output-powershell-variables-to-a-text-file
- ↑ https://arstechnica.com/civis/viewtopic.php?t=1330043
- ↑ https://blogs.msdn.microsoft.com/bclteam/2007/02/13/long-paths-in-net-part-1-of-3-kim-hamilton/
- ↑ https://stackoverflow.com/questions/46308030/handling-path-too-long-exception-with-new-psdrive/46309524
- ↑ https://rohnspowershellblog.wordpress.com/2015/01/16/what-does-the-synchronize-file-system-right-mean/
- ↑ https://stackoverflow.com/questions/804754/how-do-i-return-only-the-matching-regular-expression-when-i-select-stringgrep