/// <summary>
/// Sets the audit policy configuration.
/// </summary>
/// <param name="policyInformation">AUDIT_POLICY_INFORMATION to be set</param>
/// <returns>nothing</returns>
static public void SetSystemPolicy(AUDIT_POLICY_INFORMATION policyInformation)
{
List <string> identifiers = new List <string>();
IntPtr buffer = Marshal.AllocHGlobal(Marshal.SizeOf(policyInformation));
Marshal.StructureToPtr(policyInformation, buffer, true);
bool success = AuditSetSystemPolicy(buffer, 1);
AuditFree(buffer);
if (!success)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
/// <summary>
/// Gets the audit policy configured for the specified subcategory GUID.
/// </summary>
/// <param name="subCategoryGuid">The GUID of the subcategory for which the policy should be returned.</param>
/// <returns>Returns an AUDIT_POLICY_INFORMATION that contains information about the policy.</returns>
static public AUDIT_POLICY_INFORMATION GetSystemPolicy(Guid subCategoryGuid)
{
List <string> identifiers = new List <string>();
IntPtr buffer;
bool success = AuditQuerySystemPolicy(ref subCategoryGuid, 1, out buffer);
if (!success)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
AUDIT_POLICY_INFORMATION policyInformation = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(buffer, typeof(AUDIT_POLICY_INFORMATION));
AuditFree(buffer);
return(policyInformation);
}
public void AuditQuerySetPerUserPolicyTest()
{
AUDIT_POLICY_INFORMATION[] orig = null;
Assert.That(() => orig = AuditQueryPerUserPolicy(CurUserSid, new[] { regAudit }).ToArray(), Throws.Nothing);
var api = new AUDIT_POLICY_INFORMATION {
AuditSubCategoryGuid = regAudit, AuditingInformation = AuditCondition.PER_USER_AUDIT_SUCCESS_INCLUDE
};
Assert.That(AuditSetPerUserPolicy(CurUserSid, new[] { api }, 1), ResultIs.Successful);
Assert.That(AuditQueryPerUserPolicy(CurUserSid, new[] { regAudit }).ToArray(), Has.Length.EqualTo(1));
if (orig.Length == 0)
{
api.AuditingInformation = AuditCondition.PER_USER_AUDIT_NONE;
}
else
{
api = orig[0];
}
Assert.That(AuditSetPerUserPolicy(CurUserSid, new[] { api }, 1), ResultIs.Successful);
}
/// <summary>
/// Gets the audit policy configured for the specified subcategory GUID.
/// </summary>
/// <param name="subCategoryGuid">The GUID of the subcategory for which the policy should be returned.</param>
/// <returns>Returns an AUDIT_POLICY_INFORMATION that contains information about the policy.</returns>
private static AUDIT_POLICY_INFORMATION GetSystemPolicy(Guid subCategoryGuid)
{
StringCollection identifiers = new StringCollection();
IntPtr buffer;
bool success = AuditQuerySystemPolicy(subCategoryGuid, 1, out buffer);
if (!success)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
AUDIT_POLICY_INFORMATION policyInformation = new AUDIT_POLICY_INFORMATION();
try {
policyInformation = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(buffer, typeof(AUDIT_POLICY_INFORMATION));
AuditFree(buffer);
}
catch
{
Console.WriteLine("\n\nERROR 5: Insufficient privileges");
Environment.Exit(1);
}
return(policyInformation);
}
public static Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > GetSubcategoryPolicies()
{
Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > result = new Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> >();
LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
IntPtr hPolicy = IntPtr.Zero;
IntPtr pInfo = IntPtr.Zero;
IntPtr pGuid = IntPtr.Zero;
IntPtr pAuditPolicies = IntPtr.Zero;
IntPtr pSubcategories = IntPtr.Zero;
UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
uint code = LsaNtStatusToWinError(lrc);
if (code != 0)
{
throw new System.ComponentModel.Win32Exception((int)code);
}
try {
//
// Query the policy
//
lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
code = LsaNtStatusToWinError(lrc);
if (code != 0)
{
throw new System.ComponentModel.Win32Exception((int)code);
}
POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());
//
// Iterate through the event types
//
for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++)
{
pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid))
{
throw new System.ComponentModel.Win32Exception(GetLastError());
}
UInt32 subcategoryCount = 0;
if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount))
{
throw new System.ComponentModel.Win32Exception(GetLastError());
}
if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies))
{
throw new System.ComponentModel.Win32Exception(GetLastError());
}
Dictionary <String, AuditEventStatus> dict = new Dictionary <String, AuditEventStatus>();
AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION();
for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++)
{
IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() +
(long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo));
policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType());
dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()],
(AuditEventStatus)policyInfo.AuditingInformation);
}
result.Add((AuditEventPolicy)eventType, dict);
AuditFree(pAuditPolicies);
pAuditPolicies = IntPtr.Zero;
AuditFree(pSubcategories);
pSubcategories = IntPtr.Zero;
Marshal.FreeHGlobal(pGuid);
pGuid = IntPtr.Zero;
}
} finally {
//
// Cleanup
//
if (pInfo != IntPtr.Zero)
{
LsaFreeMemory(pInfo);
}
if (pGuid != IntPtr.Zero)
{
Marshal.FreeHGlobal(pGuid);
}
if (pAuditPolicies != IntPtr.Zero)
{
AuditFree(pAuditPolicies);
}
if (pSubcategories != IntPtr.Zero)
{
AuditFree(pSubcategories);
}
LsaClose(hPolicy);
}
return(result);
}
public SubCategory(Guid pvGuid, string pvDisplayName, AUDIT_POLICY_INFORMATION pvAuditInfo) : this()
{
this.Identifier = pvGuid;
this.DisplayName = pvDisplayName;
this.Policy = pvAuditInfo.AuditingInformation;
}
public void AddSubCategory(Guid pvGuid, string pvDisplayName, AUDIT_POLICY_INFORMATION pvAuditInfo)
{
SubCategories.Add(new SubCategory(pvGuid, pvDisplayName, pvAuditInfo));
}
public virtual Dictionary<AuditEventSubcategories, AuditEventStatus> GetAuditEventSubcategoriesPolicy(TargetInfo targetInfo)
{
Dictionary<AuditEventSubcategories, AuditEventStatus> retList = new Dictionary<AuditEventSubcategories, AuditEventStatus>();
string target = @"\\" + targetInfo.GetAddress();
LSA_UNICODE_STRING systemName = string2LSAUS(target);
LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
IntPtr policyHandle = IntPtr.Zero;
IntPtr pAuditEventsInfo = IntPtr.Zero;
IntPtr pAuditCategoryId = IntPtr.Zero;
IntPtr pAuditSubCategoryGuids = IntPtr.Zero;
IntPtr pAuditPolicies = IntPtr.Zero;
UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle);
UInt32 retVal = LsaNtStatusToWinError(lretVal);
if (retVal == (UInt32)0)
{
try
{
lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo);
retVal = LsaNtStatusToWinError(lretVal);
if (retVal == 0)
{
POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO();
myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType());
for (var policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++)
{
pAuditCategoryId = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryId))
{
int causingError = GetLastError();
throw new System.ComponentModel.Win32Exception(causingError);
}
UInt32 nSubCats = 0;
pAuditSubCategoryGuids = IntPtr.Zero;
if (!AuditEnumerateSubCategories(pAuditCategoryId, false, ref pAuditSubCategoryGuids, out nSubCats))
{
int causingError = GetLastError();
throw new System.ComponentModel.Win32Exception(causingError);
}
Marshal.FreeHGlobal(pAuditCategoryId);
pAuditCategoryId = IntPtr.Zero;
pAuditPolicies = IntPtr.Zero;
if (nSubCats > 0)
{
if (!AuditQuerySystemPolicy(pAuditSubCategoryGuids, nSubCats, out pAuditPolicies))
{
int causingError = GetLastError();
throw new System.ComponentModel.Win32Exception(causingError);
}
for (var subcategoryIndex = 0; subcategoryIndex < nSubCats; subcategoryIndex++)
{
AUDIT_POLICY_INFORMATION currentPolicy = new AUDIT_POLICY_INFORMATION();
IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (Int64)subcategoryIndex * (Int64)Marshal.SizeOf(currentPolicy));
currentPolicy = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, currentPolicy.GetType());
String subCategoryName = String.Empty;
Marshal.StructureToPtr(currentPolicy, itemPtr, true);
AuditLookupSubCategoryName(itemPtr, ref subCategoryName);
AuditEventSubcategories value;
if (subcategoriesDictionary.TryGetValue(subCategoryName, out value))
{
retList.Add(value, (AuditEventStatus)(currentPolicy.AuditingInformation & 0x3));
}
}
if (pAuditPolicies != IntPtr.Zero)
{
AuditFree(pAuditPolicies);
pAuditPolicies = IntPtr.Zero;
}
}
if (pAuditSubCategoryGuids != IntPtr.Zero)
{
AuditFree(pAuditSubCategoryGuids);
pAuditSubCategoryGuids = IntPtr.Zero;
}
nSubCats = 0;
}
}
else
{
throw new System.ComponentModel.Win32Exception((int)retVal);
}
}
finally
{
if (pAuditPolicies != IntPtr.Zero)
{
AuditFree(pAuditPolicies);
pAuditPolicies = IntPtr.Zero;
}
if (pAuditSubCategoryGuids != IntPtr.Zero)
{
AuditFree(pAuditSubCategoryGuids);
pAuditSubCategoryGuids = IntPtr.Zero;
}
if (pAuditEventsInfo != IntPtr.Zero)
{
LsaFreeMemory(pAuditEventsInfo);
}
if (pAuditCategoryId != IntPtr.Zero)
{
Marshal.FreeHGlobal(pAuditCategoryId);
}
LsaClose(policyHandle);
}
}
else
{
throw new System.ComponentModel.Win32Exception((int)retVal);
}
return retList;
}
public static Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> GetSubcategoryPolicies()
{
Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> result = new Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>>();
LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES();
IntPtr hPolicy = IntPtr.Zero;
IntPtr pInfo = IntPtr.Zero;
IntPtr pGuid = IntPtr.Zero;
IntPtr pAuditPolicies = IntPtr.Zero;
IntPtr pSubcategories = IntPtr.Zero;
UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy);
uint code = LsaNtStatusToWinError(lrc);
if (code != 0) {
throw new System.ComponentModel.Win32Exception((int)code);
}
try {
//
// Query the policy
//
lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo);
code = LsaNtStatusToWinError(lrc);
if (code != 0) {
throw new System.ComponentModel.Win32Exception((int)code);
}
POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO();
info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType());
//
// Iterate through the event types
//
for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) {
pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID)));
if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) {
throw new System.ComponentModel.Win32Exception(GetLastError());
}
UInt32 subcategoryCount = 0;
if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) {
throw new System.ComponentModel.Win32Exception(GetLastError());
}
if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) {
throw new System.ComponentModel.Win32Exception(GetLastError());
}
Dictionary<String, AuditEventStatus> dict = new Dictionary<String, AuditEventStatus>();
AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION();
for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) {
IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() +
(long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo));
policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType());
dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()],
(AuditEventStatus)policyInfo.AuditingInformation);
}
result.Add((AuditEventPolicy)eventType, dict);
AuditFree(pAuditPolicies);
pAuditPolicies = IntPtr.Zero;
AuditFree(pSubcategories);
pSubcategories = IntPtr.Zero;
Marshal.FreeHGlobal(pGuid);
pGuid = IntPtr.Zero;
}
} finally {
//
// Cleanup
//
if (pInfo != IntPtr.Zero) {
LsaFreeMemory(pInfo);
}
if (pGuid != IntPtr.Zero) {
Marshal.FreeHGlobal(pGuid);
}
if (pAuditPolicies != IntPtr.Zero) {
AuditFree(pAuditPolicies);
}
if (pSubcategories != IntPtr.Zero) {
AuditFree(pSubcategories);
}
LsaClose(hPolicy);
}
return result;
}
