Hi SaiyadRa,
Are you looking to trigger an alert if someone changes the file system/folder permissions? Or, is there a security group in the file system permissions and you want to be alerted if the membership of that group changes?
If I understand your question properly, you’re looking for the first one; an alert if the file system/folder permissions change. I quickly looked through the guide for the Windows Server File and iSCSI Services MP and I didn’t see anything that might be helpful. You could do a custom monitor with a short PowerShell script.
Use Get-Acl to pull the folder permissions and a regular expression to filter for the accepted values. Alerts can be triggered if there is anything that doesn’t match that RegEx. I put this together and tested it quickly. It worked as expected:
# Set the path that is being monitored
$MonitoredPath = "C:\Windows"
# Set the accepted users and groups for the ACL
# If multiple users/groups are accepted, separate with a pipe character |
$AcceptedACLEntries = "System|Users|TrustedInstaller"
Write-Host "Checking file system permissions for: " $MonitoredPath
Write-Host "Acceptable users and groups:`n"
$AcceptedACLEntries.Split("|")
Write-Host "`n"
# Building a property bag for SCOM so the data gathered by the script can be added to the alert.
$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()
# Get the users and groups from the monitored path's ACL
$ACL_MonitoredPath = (Get-Acl -Path $MonitoredPath).Access.IdentityReference
# Initialize a variable to store any improper permissions
$ImproperPermissions = $null
# Look at each entry in the list
ForEach ($ACL in $ACL_MonitoredPath) {
# If the entry in the list does not match the accepted entries, write it to the console and add to the property bag
If ($ACL -notmatch $AcceptedACLEntries) {
Write-Host -ForegroundColor Red "Improper permission found: " $ACL
# Add the improper permission's Value attribute to a list that can be shown in the alert description
$ImproperPermissions += $ACL.Value + "`n"
}
Else {
Write-Host -ForegroundColor Green "Acceptable permission found: " $ACL
}
}
# If improper permissions were found (i.e. $ImproperPermissions is not null), set the state to "Bad" and add the liste of improper permissions to the property bag
If ($ImproperPermissions -ne $null) {
$PropertyBag.AddValue("State","Bad")
$PropertyBag.AddValue("MonitoredPath",$MonitoredPath)
$PropertyBag.AddValue("Permission",$ImproperPermissions)
}
# Else, if there are no improper permissions (i.e. $ImproperPermissions is still null), set the state to "Good"
ElseIf ($ImproperPermissions -eq $null) {
$PropertyBag.AddValue("State","Good")
}
# Return the property bag
$PropertyBag
Then, for the alert configuration:
Healthy Expression:
Property[@Name="State"] Equals Good
Unhealthy Expression:
Property[@Name="State"] Equals Bad
Alert Description:
Improper file system permissions have been found.
Monitored path: $Data/Context/Property[@Name="MonitoredPath"]$
Improper permissions:
$Data/Context/Property[@Name="Permission"]$
When an alert was triggered, the description looked like this:
Alert: FileSystemTest
Source: MyServer.Domain.com
Path: Not Present
Last modified by: System
Last modified time: 5/29/2020 8:51:52 AM
Alert description: Improper file system permissions have been found.
Monitored path: C:\Windows
Improper permissions:
CREATOR OWNER
BUILTIN\Administrators
BUILTIN\Administrators
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
That script looks at C:\Windows but you could change the path to any file or folder. A UNC path works too. I think that might get you close to what you need.