Public/AuditPolicy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 <#
.SYNOPSIS
    Test an Audit Policy.
.DESCRIPTION
    Test the setting of a particular audit policy .
.PARAMETER Target
    Specifies the category of the Audit Policy.
.PARAMETER Qualifier
    Specifies the subcategory of the Audit policy.
.PARAMETER Should
    A Script Block defining a Pester Assertion.
.EXAMPLE
    AuditPolicy System "Security System Extension" { Should Be Success }
.EXAMPLE
    AuditPolicy "Logon/Logoff" Logon { Should Be "Success and Failure" }
.EXAMPLE
    AuditPolicy "Account Management" "User Account Management" { Should Not Be "No Auditing" }
.NOTES
    Assertions: Be, BeExactly, Match, MatchExactly
#>

 
function AuditPolicy {
    [CmdletBinding(DefaultParameterSetName="Default")]
    param(
        [Parameter(Mandatory, Position=1)]
        [Alias("Category")]
        [ValidateSet(
            "System",
            "Logon/Logoff",
            "Object Access",
            "Privilege Use",
            "Detailed Tracking",
            "Policy Change",
            "Account Management",
            "DS Access",
            "Account Logon"
        )]
        $Qualifier,    
        [Parameter(Mandatory, Position=2)]
        [Alias("Subcategory")]
        [ValidateSet(
            "Security System Extension",
            "System Integrity",
            "IPsec Driver",
            "Other System Events",
            "Security State Change",
            "Logon",
            "Logoff",
            "Account Lockout",
            "IPsec Main Mode",
            "IPsec Quick Mode",
            "IPsec Extended Mode",
            "Special Logon",
            "Other Logon/Logoff Events",
            "Network Policy Server",
            "User / Device Claims",
            "Group Membership",
            "File System",
            "Registry",
            "Kernel Object",
            "SAM",
            "Certification Services",
            "Application Generated",
            "Handle Manipulation",
            "File Share",
            "Filtering Platform Packet Drop",
            "Filtering Platform Connection",
            "Other Object Access Events",
            "Detailed File Share",
            "Removable Storage",
            "Central Policy Staging",
            "Sensitive Privilege Use",
            "Non Sensitive Privilege Use",
            "Other Privilege Use Events",
            "Process Termination",
            "DPAPI Activity",
            "RPC Events",
            "Plug and Play Events",
            "Token Right Adjusted Events",
            "Process Creation",
            "Audit Policy Change",
            "Authentication Policy Change",
            "Authorization Policy Change",
            "MPSSVC Rule-Level Policy Change",
            "Filtering Platform Policy Change",
            "Other Policy Change Events",
            "User Account Management",
            "Computer Account Management",
            "Security Group Management",
            "Distribution Group Management",
            "Application Group Management",
            "Other Account Management Events",
            "Directory Service Changes",
            "Directory Service Replication",
            "Detailed Directory Service Replication",
            "Directory Service Access",
            "Kerberos Service Ticket Operations",
            "Other Account Logon Events",
            "Kerberos Authentication Service",
            "Credential Validation"
        )]
        [string]$Target,
        
        [Parameter(Mandatory, Position=3)]
        [scriptblock]$Should
    )
    Function GetAuditPolicy([string]$Category,[string]$Subcategory) {
        If (Test-RunAsAdmin){
            auditpol /get /category:$Category |
                Where-Object -FilterScript {$_ -match "^\s+$Subcategory"} | 
                    ForEach-Object -Process {($_.trim() -split "\s{2,}")[1]}
        } Else {
            Throw "You must run as Administrator to test AuditPolicy"
        }
    }
    $expression = {GetAuditPolicy -Category '$Qualifier' -Subcategory '$Target'}

    $params = Get-PoshspecParam -TestName AuditPolicy -TestExpression $expression @PSBoundParameters
    
    Invoke-PoshspecExpression @params
}