@@ -395,6 +395,82 @@ function Test-TimeZone {
395395 }
396396}
397397
398+ function Test-AuditPolicies {
399+ $expectedAuditPolicies = @ {
400+ ' Credential Validation' = ' Success and Failure'
401+ ' Security Group Management' = ' Success'
402+ ' User Account Management' = ' Success and Failure'
403+ ' Plug and Play Events' = ' Success'
404+ ' Process Creation' = ' Success'
405+ ' Account Lockout' = ' Failure'
406+ ' Group Membership' = ' Success'
407+ ' Logon' = ' Success and Failure'
408+ ' Other Logon/Logoff Events' = ' Success and Failure'
409+ ' Special Logon' = ' Success'
410+ ' Detailed File Share' = ' Failure'
411+ ' File Share' = ' Success and Failure'
412+ ' Other Object Access Events' = ' Success and Failure'
413+ ' Removable Storage' = ' Success and Failure'
414+ ' Audit Policy Change' = ' Success'
415+ ' Authentication Policy Change' = ' Success'
416+ ' MPSSVC Rule-Level Policy Change' = ' Success and Failure'
417+ ' Other Policy Change Events' = ' Failure'
418+ ' Sensitive Privilege Use' = ' Success and Failure'
419+ ' Other System Events' = ' Success and Failure'
420+ ' Security State Change' = ' Success'
421+ ' Security System Extension' = ' Success'
422+ ' System Integrity' = ' Success and Failure'
423+ }
424+
425+ $backupDir = " $env: TMP /policyBackup-$ ( [System.Guid ]::NewGuid() ) "
426+ New-Item - ItemType Directory - Path $backupDir
427+ C:\var \vcap\packages\lgpo\lgpo\LGPO.exe / b $backupDir
428+
429+ $backupPaths = (Get-ChildItem $backupDir )
430+ if ($backupPaths.Count -ne 1 ) {
431+ Write-Error " Expected exactly 1 backup directory, but found $ ( $backupPaths.Count ) "
432+ Exit 1
433+ }
434+
435+ $policyPath = " $backupDir \$ ( $backupPaths.Name ) \DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"
436+
437+ if (-not (Test-Path $policyPath )) {
438+ Write-Error " Audit policy file does not exist at: $policyPath "
439+ Exit 1
440+ }
441+
442+ Write-Host " Loading actual policies from: $policyPath "
443+ $actualPolicies = Import-Csv $policyPath
444+
445+ $failedTests = 0
446+ foreach ($policyName in $expectedAuditPolicies.keys ) {
447+ $expectedValue = $expectedAuditPolicies [$policyName ]
448+ $actualPolicy = $actualPolicies | Where-Object { $_.Subcategory -eq $policyName }
449+
450+ Write-Host " Checking audit policy '$policyName ' is set to '$expectedValue '..."
451+ if ($null -eq $actualPolicy -or $actualPolicy.Count -eq 0 ) {
452+ Write-Error " Audit policy subcategory '$policyName ' should exist but was not found"
453+ $failedTests ++
454+ continue
455+ }
456+
457+ $actualValue = $actualPolicy .' Inclusion Setting'
458+ if ($actualValue -ne $expectedValue ) {
459+ Write-Error " Audit policy '$policyName ' is set to '$actualValue ' but expected '$expectedValue '"
460+ $failedTests ++
461+ } else {
462+ Write-Host " ✓ Audit policy '$policyName ' is correctly set to '$expectedValue '"
463+ }
464+
465+ if ($failedTests -gt 0 ) {
466+ Write-Error " Audit policies verification failed with $failedTests error(s)"
467+ Exit 1
468+ }
469+ }
470+ }
471+
472+ # END function definitions
473+
398474Test-LGPO
399475Test-Dependencies
400476Test-Acls
@@ -412,10 +488,6 @@ Test-PSVersion5
412488Test-VersionFile
413489Test-TimeZone
414490
415- Import-Module C:\var \vcap\packages\pester\Pester\Pester.psd1
416- $pesterResults = Invoke-Pester $PSScriptRoot / AuditPolicies.Tests.ps1 - PassThru
417- if ($pesterResults.FailedCount -gt 0 ) {
418- Exit 1
419- }
491+ Test-AuditPolicies
420492
421493Exit 0
0 commit comments