Functions/Audit/Get-SecurityAuditPolicySetting.ps1
<#
.SYNOPSIS Get one audit policy setting on the local system. .DESCRIPTION This command uses the auditpol.exe command to get the current audit policy setting for the local system and parse the output for the target setting. .INPUTS None. .OUTPUTS System.Boolean. Return true if the audit policy is enabled, false if not. .EXAMPLE PS C:\> Get-SecurityAuditPolicySetting -Category 'Object Access' -Subcategory 'File System' -Setting 'Success' Returns the current setting for success audit on the file system object access audit policy. .LINK https://github.com/claudiospizzi/SecurityFever #> function Get-SecurityAuditPolicySetting { [CmdletBinding()] [OutputType([System.Boolean])] param ( # Audit policy category [Parameter(Mandatory = $true)] [System.String] $Category, # Audit policy subcategory [Parameter(Mandatory = $true)] [System.String] $Subcategory, # Audit policy setting [Parameter(Mandatory = $true)] [ValidateSet('Success', 'Failure')] [System.String] $Setting ) $auditPolicies = Get-SecurityAuditPolicy foreach ($auditPolicy in $auditPolicies) { if ($auditPolicy.Category -eq $Category -and $auditPolicy.Subcategory -eq $Subcategory) { switch ($Setting) { 'Success' { return $auditPolicy.AuditSuccess } 'Failure' { return $auditPolicy.AuditFailure } } } } throw "No audit policy found for category $Category and subcategory $Subcategory." } |