public bool SetAuditPolicy(Auditing audit) { try { AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID); switch (audit) { case Auditing.All: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success | AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure; break; case Auditing.Blocked: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure; break; case Auditing.Allowed: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success; break; case Auditing.Off: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.None; break; } TokenManipulator.AddPrivilege(TokenManipulator.SE_SECURITY_NAME); // Note: without SeSecurityPrivilege this fails silently AuditPolicy.SetSystemPolicy(pol); TokenManipulator.RemovePrivilege(TokenManipulator.SE_SECURITY_NAME); } catch (Exception err) { AppLog.Exception(err); return(false); } return(true); }
public bool SetAuditPolicy(bool audit) { try { AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID); if (audit) { pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success; } else { pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.None; } TokenManipulator.AddPrivilege(TokenManipulator.SE_SECURITY_NAME); // Note: without SeSecurityPrivilege this fails silently AuditPolicy.SetSystemPolicy(pol); TokenManipulator.RemovePrivilege(TokenManipulator.SE_SECURITY_NAME); } catch (Exception err) { AppLog.Exception(err); return(false); } return(true); }
public void Save(BinaryWriter writer) { // Get policy from main window AuditPolicy policy = AuditPolicy.GetFromWindow(MainWindow); // Write policy settings to stream policy.Write(writer); }
public void Load(BinaryReader reader) { // Get stored policy AuditPolicy policy = AuditPolicy.Parse(reader); // Write policy settings to window policy.WriteToWindow(MainWindow); }
public AllSettings() { auditSettings = new AuditPolicy(); dotNetVersions = new DotNetVersions(); powershellSettings = new PowershellSettings(); processes = new List <ProcessModel>(); services = new List <Services>(); wefSettings = new Dictionary <string, string>(); }
public bool HasAuditPolicy() { try { AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID); if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0) { return(true); } } catch (Exception err) { AppLog.Exception(err); } return(false); }
public static void ListAuditSettings() { AuditPolicy ap = new AuditPolicy(); var categories = AuditPolicyFetcher.GetCategoryIdentifiers(); categories.ForEach(x => ap.AddCategory(x, AuditPolicyFetcher.GetCategoryDisplayName(x))); //For each category, get the subcategories , lookup subcategory display name and add these pairs to the category ap.Categories.ForEach(c => { var subCategories = AuditPolicyFetcher.GetSubCategoryIdentifiers(c.Identifier); subCategories.ForEach(sc => { c.AddSubCategory(sc, AuditPolicyFetcher.GetSubCategoryDisplayName(sc), AuditPolicyFetcher.GetSystemPolicy(sc)); }); }); allSettings.auditSettings = ap; //PrintSectionHeader("Audit Settings"); //Dictionary<string, object> settings = Helpers.GetRegValues("HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit"); //if ((settings != null) && (settings.Count != 0)) //{ // foreach (KeyValuePair<string, object> kvp in settings) // { // if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.String")) // { // string result = string.Join(",", (string[])kvp.Value); // PrintItemValue(kvp.Key, result); // } // else // { // PrintItemValue(kvp.Key, kvp.Value); // } // } //} //else //{ // //Console.WriteLine("No Audit Settings Found"); //} //PrintSectionFooter(); }
public Auditing GetAuditPolicy() { try { AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID); if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0 && (pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0) { return(Auditing.All); } if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0) { return(Auditing.Allowed); } if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0) { return(Auditing.Blocked); } } catch (Exception err) { AppLog.Exception(err); } return(Auditing.Off); }