public bool SetAuditPolicy(Auditing audit)
{
try
{
AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID);
switch (audit)
{
case Auditing.All: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success | AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure; break;
case Auditing.Blocked: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure; break;
case Auditing.Allowed: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success; break;
case Auditing.Off: pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.None; break;
}
TokenManipulator.AddPrivilege(TokenManipulator.SE_SECURITY_NAME);
// Note: without SeSecurityPrivilege this fails silently
AuditPolicy.SetSystemPolicy(pol);
TokenManipulator.RemovePrivilege(TokenManipulator.SE_SECURITY_NAME);
}
catch (Exception err)
{
AppLog.Exception(err);
return(false);
}
return(true);
}
public bool SetAuditPolicy(bool audit)
{
try
{
AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID);
if (audit)
{
pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success;
}
else
{
pol.AuditingInformation = AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.None;
}
TokenManipulator.AddPrivilege(TokenManipulator.SE_SECURITY_NAME);
// Note: without SeSecurityPrivilege this fails silently
AuditPolicy.SetSystemPolicy(pol);
TokenManipulator.RemovePrivilege(TokenManipulator.SE_SECURITY_NAME);
}
catch (Exception err)
{
AppLog.Exception(err);
return(false);
}
return(true);
}
public void Save(BinaryWriter writer)
{
// Get policy from main window
AuditPolicy policy = AuditPolicy.GetFromWindow(MainWindow);
// Write policy settings to stream
policy.Write(writer);
}
public void Load(BinaryReader reader)
{
// Get stored policy
AuditPolicy policy = AuditPolicy.Parse(reader);
// Write policy settings to window
policy.WriteToWindow(MainWindow);
}
public AllSettings()
{
auditSettings = new AuditPolicy();
dotNetVersions = new DotNetVersions();
powershellSettings = new PowershellSettings();
processes = new List <ProcessModel>();
services = new List <Services>();
wefSettings = new Dictionary <string, string>();
}
public bool HasAuditPolicy()
{
try
{
AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID);
if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0)
{
return(true);
}
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(false);
}
public static void ListAuditSettings()
{
AuditPolicy ap = new AuditPolicy();
var categories = AuditPolicyFetcher.GetCategoryIdentifiers();
categories.ForEach(x => ap.AddCategory(x, AuditPolicyFetcher.GetCategoryDisplayName(x)));
//For each category, get the subcategories , lookup subcategory display name and add these pairs to the category
ap.Categories.ForEach(c =>
{
var subCategories = AuditPolicyFetcher.GetSubCategoryIdentifiers(c.Identifier);
subCategories.ForEach(sc =>
{
c.AddSubCategory(sc, AuditPolicyFetcher.GetSubCategoryDisplayName(sc), AuditPolicyFetcher.GetSystemPolicy(sc));
});
});
allSettings.auditSettings = ap;
//PrintSectionHeader("Audit Settings");
//Dictionary<string, object> settings = Helpers.GetRegValues("HKLM", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit");
//if ((settings != null) && (settings.Count != 0))
//{
// foreach (KeyValuePair<string, object> kvp in settings)
// {
// if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.String"))
// {
// string result = string.Join(",", (string[])kvp.Value);
// PrintItemValue(kvp.Key, result);
// }
// else
// {
// PrintItemValue(kvp.Key, kvp.Value);
// }
// }
//}
//else
//{
// //Console.WriteLine("No Audit Settings Found");
//}
//PrintSectionFooter();
}
public Auditing GetAuditPolicy()
{
try
{
AuditPolicy.AUDIT_POLICY_INFORMATION pol = AuditPolicy.GetSystemPolicy(FirewallEventPolicyID);
if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0 && (pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0)
{
return(Auditing.All);
}
if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Success) != 0)
{
return(Auditing.Allowed);
}
if ((pol.AuditingInformation & AuditPolicy.AUDIT_POLICY_INFORMATION_TYPE.Failure) != 0)
{
return(Auditing.Blocked);
}
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(Auditing.Off);
}
