/// <summary> /// Sets the audit policy configuration. /// </summary> /// <param name="policyInformation">AUDIT_POLICY_INFORMATION to be set</param> /// <returns>nothing</returns> static public void SetSystemPolicy(AUDIT_POLICY_INFORMATION policyInformation) { List <string> identifiers = new List <string>(); IntPtr buffer = Marshal.AllocHGlobal(Marshal.SizeOf(policyInformation)); Marshal.StructureToPtr(policyInformation, buffer, true); bool success = AuditSetSystemPolicy(buffer, 1); AuditFree(buffer); if (!success) { throw new Win32Exception(Marshal.GetLastWin32Error()); } }
/// <summary> /// Gets the audit policy configured for the specified subcategory GUID. /// </summary> /// <param name="subCategoryGuid">The GUID of the subcategory for which the policy should be returned.</param> /// <returns>Returns an AUDIT_POLICY_INFORMATION that contains information about the policy.</returns> static public AUDIT_POLICY_INFORMATION GetSystemPolicy(Guid subCategoryGuid) { List <string> identifiers = new List <string>(); IntPtr buffer; bool success = AuditQuerySystemPolicy(ref subCategoryGuid, 1, out buffer); if (!success) { throw new Win32Exception(Marshal.GetLastWin32Error()); } AUDIT_POLICY_INFORMATION policyInformation = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(buffer, typeof(AUDIT_POLICY_INFORMATION)); AuditFree(buffer); return(policyInformation); }
public void AuditQuerySetPerUserPolicyTest() { AUDIT_POLICY_INFORMATION[] orig = null; Assert.That(() => orig = AuditQueryPerUserPolicy(CurUserSid, new[] { regAudit }).ToArray(), Throws.Nothing); var api = new AUDIT_POLICY_INFORMATION { AuditSubCategoryGuid = regAudit, AuditingInformation = AuditCondition.PER_USER_AUDIT_SUCCESS_INCLUDE }; Assert.That(AuditSetPerUserPolicy(CurUserSid, new[] { api }, 1), ResultIs.Successful); Assert.That(AuditQueryPerUserPolicy(CurUserSid, new[] { regAudit }).ToArray(), Has.Length.EqualTo(1)); if (orig.Length == 0) { api.AuditingInformation = AuditCondition.PER_USER_AUDIT_NONE; } else { api = orig[0]; } Assert.That(AuditSetPerUserPolicy(CurUserSid, new[] { api }, 1), ResultIs.Successful); }
/// <summary> /// Gets the audit policy configured for the specified subcategory GUID. /// </summary> /// <param name="subCategoryGuid">The GUID of the subcategory for which the policy should be returned.</param> /// <returns>Returns an AUDIT_POLICY_INFORMATION that contains information about the policy.</returns> private static AUDIT_POLICY_INFORMATION GetSystemPolicy(Guid subCategoryGuid) { StringCollection identifiers = new StringCollection(); IntPtr buffer; bool success = AuditQuerySystemPolicy(subCategoryGuid, 1, out buffer); if (!success) { throw new Win32Exception(Marshal.GetLastWin32Error()); } AUDIT_POLICY_INFORMATION policyInformation = new AUDIT_POLICY_INFORMATION(); try { policyInformation = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(buffer, typeof(AUDIT_POLICY_INFORMATION)); AuditFree(buffer); } catch { Console.WriteLine("\n\nERROR 5: Insufficient privileges"); Environment.Exit(1); } return(policyInformation); }
public static Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > GetSubcategoryPolicies() { Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> > result = new Dictionary <AuditEventPolicy, Dictionary <String, AuditEventStatus> >(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; IntPtr pSubcategories = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } UInt32 subcategoryCount = 0; if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } Dictionary <String, AuditEventStatus> dict = new Dictionary <String, AuditEventStatus>(); AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION(); for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) { IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo)); policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType()); dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()], (AuditEventStatus)policyInfo.AuditingInformation); } result.Add((AuditEventPolicy)eventType, dict); AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; AuditFree(pSubcategories); pSubcategories = IntPtr.Zero; Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); } if (pSubcategories != IntPtr.Zero) { AuditFree(pSubcategories); } LsaClose(hPolicy); } return(result); }
public SubCategory(Guid pvGuid, string pvDisplayName, AUDIT_POLICY_INFORMATION pvAuditInfo) : this() { this.Identifier = pvGuid; this.DisplayName = pvDisplayName; this.Policy = pvAuditInfo.AuditingInformation; }
public void AddSubCategory(Guid pvGuid, string pvDisplayName, AUDIT_POLICY_INFORMATION pvAuditInfo) { SubCategories.Add(new SubCategory(pvGuid, pvDisplayName, pvAuditInfo)); }
public virtual Dictionary<AuditEventSubcategories, AuditEventStatus> GetAuditEventSubcategoriesPolicy(TargetInfo targetInfo) { Dictionary<AuditEventSubcategories, AuditEventStatus> retList = new Dictionary<AuditEventSubcategories, AuditEventStatus>(); string target = @"\\" + targetInfo.GetAddress(); LSA_UNICODE_STRING systemName = string2LSAUS(target); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr policyHandle = IntPtr.Zero; IntPtr pAuditEventsInfo = IntPtr.Zero; IntPtr pAuditCategoryId = IntPtr.Zero; IntPtr pAuditSubCategoryGuids = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; UInt32 lretVal = LsaOpenPolicy(ref systemName, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out policyHandle); UInt32 retVal = LsaNtStatusToWinError(lretVal); if (retVal == (UInt32)0) { try { lretVal = LsaQueryInformationPolicy(policyHandle, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pAuditEventsInfo); retVal = LsaNtStatusToWinError(lretVal); if (retVal == 0) { POLICY_AUDIT_EVENTS_INFO myAuditEventsInfo = new POLICY_AUDIT_EVENTS_INFO(); myAuditEventsInfo = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pAuditEventsInfo, myAuditEventsInfo.GetType()); for (var policyAuditEventType = 0; policyAuditEventType < myAuditEventsInfo.MaximumAuditEventCount; policyAuditEventType++) { pAuditCategoryId = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)policyAuditEventType, pAuditCategoryId)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } UInt32 nSubCats = 0; pAuditSubCategoryGuids = IntPtr.Zero; if (!AuditEnumerateSubCategories(pAuditCategoryId, false, ref pAuditSubCategoryGuids, out nSubCats)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } Marshal.FreeHGlobal(pAuditCategoryId); pAuditCategoryId = IntPtr.Zero; pAuditPolicies = IntPtr.Zero; if (nSubCats > 0) { if (!AuditQuerySystemPolicy(pAuditSubCategoryGuids, nSubCats, out pAuditPolicies)) { int causingError = GetLastError(); throw new System.ComponentModel.Win32Exception(causingError); } for (var subcategoryIndex = 0; subcategoryIndex < nSubCats; subcategoryIndex++) { AUDIT_POLICY_INFORMATION currentPolicy = new AUDIT_POLICY_INFORMATION(); IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (Int64)subcategoryIndex * (Int64)Marshal.SizeOf(currentPolicy)); currentPolicy = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, currentPolicy.GetType()); String subCategoryName = String.Empty; Marshal.StructureToPtr(currentPolicy, itemPtr, true); AuditLookupSubCategoryName(itemPtr, ref subCategoryName); AuditEventSubcategories value; if (subcategoriesDictionary.TryGetValue(subCategoryName, out value)) { retList.Add(value, (AuditEventStatus)(currentPolicy.AuditingInformation & 0x3)); } } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; } } if (pAuditSubCategoryGuids != IntPtr.Zero) { AuditFree(pAuditSubCategoryGuids); pAuditSubCategoryGuids = IntPtr.Zero; } nSubCats = 0; } } else { throw new System.ComponentModel.Win32Exception((int)retVal); } } finally { if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; } if (pAuditSubCategoryGuids != IntPtr.Zero) { AuditFree(pAuditSubCategoryGuids); pAuditSubCategoryGuids = IntPtr.Zero; } if (pAuditEventsInfo != IntPtr.Zero) { LsaFreeMemory(pAuditEventsInfo); } if (pAuditCategoryId != IntPtr.Zero) { Marshal.FreeHGlobal(pAuditCategoryId); } LsaClose(policyHandle); } } else { throw new System.ComponentModel.Win32Exception((int)retVal); } return retList; }
public static Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> GetSubcategoryPolicies() { Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>> result = new Dictionary<AuditEventPolicy, Dictionary<String, AuditEventStatus>>(); LSA_OBJECT_ATTRIBUTES objAttrs = new LSA_OBJECT_ATTRIBUTES(); IntPtr hPolicy = IntPtr.Zero; IntPtr pInfo = IntPtr.Zero; IntPtr pGuid = IntPtr.Zero; IntPtr pAuditPolicies = IntPtr.Zero; IntPtr pSubcategories = IntPtr.Zero; UInt32 lrc = LsaOpenPolicy(null, ref objAttrs, POLICY_VIEW_AUDIT_INFORMATION, out hPolicy); uint code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } try { // // Query the policy // lrc = LsaQueryInformationPolicy(hPolicy, POLICY_INFORMATION_CLASS.PolicyAuditEventsInformation, out pInfo); code = LsaNtStatusToWinError(lrc); if (code != 0) { throw new System.ComponentModel.Win32Exception((int)code); } POLICY_AUDIT_EVENTS_INFO info = new POLICY_AUDIT_EVENTS_INFO(); info = (POLICY_AUDIT_EVENTS_INFO)Marshal.PtrToStructure(pInfo, info.GetType()); // // Iterate through the event types // for (UInt32 eventType = 0; eventType < info.MaximumAuditEventCount; eventType++) { pGuid = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(GUID))); if (!AuditLookupCategoryGuidFromCategoryId((POLICY_AUDIT_EVENT_TYPE)eventType, pGuid)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } UInt32 subcategoryCount = 0; if (!AuditEnumerateSubCategories(pGuid, false, ref pSubcategories, out subcategoryCount)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } if (!AuditQuerySystemPolicy(pSubcategories, subcategoryCount, out pAuditPolicies)) { throw new System.ComponentModel.Win32Exception(GetLastError()); } Dictionary<String, AuditEventStatus> dict = new Dictionary<String, AuditEventStatus>(); AUDIT_POLICY_INFORMATION policyInfo = new AUDIT_POLICY_INFORMATION(); for (UInt32 subcategoryIndex = 0; subcategoryIndex < subcategoryCount; subcategoryIndex++) { IntPtr itemPtr = new IntPtr(pAuditPolicies.ToInt64() + (long)subcategoryIndex * (Int64)Marshal.SizeOf(policyInfo)); policyInfo = (AUDIT_POLICY_INFORMATION)Marshal.PtrToStructure(itemPtr, policyInfo.GetType()); dict.Add(AuditPolicySubcategories[policyInfo.AuditSubCategoryGuid.ToString()], (AuditEventStatus)policyInfo.AuditingInformation); } result.Add((AuditEventPolicy)eventType, dict); AuditFree(pAuditPolicies); pAuditPolicies = IntPtr.Zero; AuditFree(pSubcategories); pSubcategories = IntPtr.Zero; Marshal.FreeHGlobal(pGuid); pGuid = IntPtr.Zero; } } finally { // // Cleanup // if (pInfo != IntPtr.Zero) { LsaFreeMemory(pInfo); } if (pGuid != IntPtr.Zero) { Marshal.FreeHGlobal(pGuid); } if (pAuditPolicies != IntPtr.Zero) { AuditFree(pAuditPolicies); } if (pSubcategories != IntPtr.Zero) { AuditFree(pSubcategories); } LsaClose(hPolicy); } return result; }