FileSecurityTest2.py

Luke Murphey, 06/04/2016 06:33 AM

       # Contributed by Kelly Kranabetter.
       import os, sys
       import win32security, ntsecuritycon
       import collections
       # get security information
       #name=r"c:\autoexec.bat"
       #name= r"g:\!workgrp\lim"
       name=sys.argv[1]
       if not os.path.exists(name):
           print name, "does not exist!"
           sys.exit()
       print "On file " , name, "\n"
       description = collections.OrderedDict()
       description2 = collections.OrderedDict()
       # get owner SID
       print "OWNER"
       sd= win32security.GetFileSecurity(name, win32security.OWNER_SECURITY_INFORMATION)
       sid= sd.GetSecurityDescriptorOwner()
       print "  ", win32security.LookupAccountSid(None, sid)
       sid2 = win32security.LookupAccountSid(None, sid)
       description['owner'] = sid2[0] + '\\' + sid2[1]
       description2['owner'] = sid2[0] + '\\' + sid2[1]
       description2['owner_sid'] = str(sid).replace('PySID:', '')
       # get group SID
       print "GROUP"
       sd= win32security.GetFileSecurity(name, win32security.GROUP_SECURITY_INFORMATION)
       sid= sd.GetSecurityDescriptorGroup()
       print "  ", win32security.LookupAccountSid(None, sid)
       sid2 = win32security.LookupAccountSid(None, sid)
       description['group'] = sid2[0] + '\\' + sid2[1]
       description2['group'] = sid2[0] + '\\' + sid2[1]
       description2['group_sid'] = str(sid).replace('PySID:', '')
       # get ACEs
       sd= win32security.GetFileSecurity(name, win32security.DACL_SECURITY_INFORMATION)
       dacl= sd.GetSecurityDescriptorDacl()
       if dacl == None:
           print "No Discretionary ACL"
       else:
           for ace_no in range(0, dacl.GetAceCount()):
               ace= dacl.GetAce(ace_no)
               #print "ACE", ace_no
               entry = []
               ace_type = []
               for i in ("ACCESS_ALLOWED_ACE_TYPE", "ACCESS_DENIED_ACE_TYPE", "SYSTEM_AUDIT_ACE_TYPE", "SYSTEM_ALARM_ACE_TYPE"):
                   if getattr(ntsecuritycon, i) == ace[0][0]:
                       entry.append(i)
                       ace_type.append(i)
               print "  -Flags", hex(ace[0][1])
               for i in ("OBJECT_INHERIT_ACE", "CONTAINER_INHERIT_ACE", "NO_PROPAGATE_INHERIT_ACE", "INHERIT_ONLY_ACE", "SUCCESSFUL_ACCESS_ACE_FLAG", "FAILED_ACCESS_ACE_FLAG"):
                   if getattr(ntsecuritycon, i) & ace[0][1] == getattr(ntsecuritycon, i):
                       entry.append(i)
               print "  -mask", hex(ace[1])
               # files and directories do permissions differently
               permissions_file= ("DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "FILE_GENERIC_READ", "FILE_GENERIC_WRITE", "FILE_GENERIC_EXECUTE", "FILE_DELETE_CHILD")
               permissions_dir= ("DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "FILE_ADD_SUBDIRECTORY", "FILE_ADD_FILE", "FILE_DELETE_CHILD", "FILE_LIST_DIRECTORY", "FILE_TRAVERSE", "FILE_READ_ATTRIBUTES", "FILE_WRITE_ATTRIBUTES", "FILE_READ_EA", "FILE_WRITE_EA")
               permissions_dir_inherit= ("DELETE", "READ_CONTROL", "WRITE_DAC", "WRITE_OWNER", "SYNCHRONIZE", "GENERIC_READ", "GENERIC_WRITE", "GENERIC_EXECUTE", "GENERIC_ALL")
               if os.path.isfile(name):
                   permissions= permissions_file
               else:
                   permissions= permissions_dir
                   # directories also contain an ACE that is inherited by children (files) within them
                   if ace[0][1] & ntsecuritycon.OBJECT_INHERIT_ACE == ntsecuritycon.OBJECT_INHERIT_ACE and ace[0][1] & ntsecuritycon.INHERIT_ONLY_ACE == ntsecuritycon.INHERIT_ONLY_ACE:
                       permissions= permissions_dir_inherit
               calc_mask= 0  # calculate the mask so we can see if we are printing all of the permissions
               ace_permissions = []
               for i in permissions:
                   if getattr(ntsecuritycon, i) & ace[1] == getattr(ntsecuritycon, i):
                       calc_mask= calc_mask | getattr(ntsecuritycon, i)
                       print "    ", i
                       entry.append(i)
                       ace_permissions.append(i)
               print "  ", "Calculated Check Mask=", hex(calc_mask)
               print "  -SID\n    ", win32security.LookupAccountSid(None, ace[2])
               sid = win32security.LookupAccountSid(None, ace[2])
               description[sid[0] + '\\' + sid[1]] = entry
               description2['ace_' + str(ace_no) + "_type"] = ace_type
               description2['ace_' + str(ace_no) + "_permissions"] = ace_permissions
               description2['ace_' + str(ace_no) + "_sid"] = str(ace[2]).replace('PySID:', '')
               description2['ace_' + str(ace_no) + "_account"] = sid[0] + '\\' + sid[1]
       print "_________________________________________________"
       print "Description 1"
       for k,v in description.items():
           print k, ":", v
           print
       print "_________________________________________________"
       print "Description 2"
       for k,v in description2.items():
           if isinstance(v, basestring):
               print k, ":", v
           else:
               print k, ":", ",".join(v)

Project

General

Profile

Splunk Apps » File Meta-data Monitoring

FileSecurityTest2.py