|
Страница 5 из 24
8)----------------------------------------------------------------------------
Q> Как включить/выключить аудит? A>
#include
#include
#include
#pragma hdrstop
// This code was kindly provided by Marc Esipovich,
Этот e-mail защищен от спам-ботов. Для его просмотра в вашем браузере должна быть включена поддержка Java-script
// The original filename was "isauditon.c".
// Modifications by felixk:
// IsAuditOn() now accepts a BOOL; if FALSE, the code will
// _not_ force the audit settings to ON.
// Changed return type to int, as it may return 0, 1, -1.
// Added a small main() to call IsAuditOn(FALSE).
/*
RETURNS: 1 if Auditing has been enabled, 0 if no action taken, -1 on error.
COMMENT: Automatically enables all audit policy events.
Values are, 0 for no log at all, 1 for success only, 2 for failure only,
3 for both success and failure.
typedef struct _POLICY_BUFFER {
DWORD IsAuditEnabled; // 1 = ON, 0 = OFF.
PVOID pPolicies; // pointer to the start policy struct.
DWORD restart_shutdown_and_system;
DWORD junk1;
DWORD logon_and_logoff;
DWORD junk2;
DWORD file_and_object_access;
DWORD junk3;
DWORD use_of_user_rights;
DWORD junk4;
DWORD process_tracking;
DWORD junk5;
DWORD security_policy_changes;
DWORD junk6;
DWORD user_and_group_management;
DWORD junk7;
} POLICY_BUFFER, *PPOLICY_BUFFER;
*/
int IsAuditOn( BOOL forceAuditOn )
{
int rc = 0;
POLICY_ACCOUNT_DOMAIN_INFO *ppadi = NULL;
SECURITY_QUALITY_OF_SERVICE sqos;
LSA_OBJECT_ATTRIBUTES lsaOA;
LSA_HANDLE polHandle;
NTSTATUS nts;
// fill the Quality Of Service struct.
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityImpersonation;
sqos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
sqos.EffectiveOnly = FALSE;
// fill the Object Attributes struct.
lsaOA.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
lsaOA.RootDirectory = NULL;
lsaOA.ObjectName = NULL;
lsaOA.Attributes = 0;
lsaOA.SecurityDescriptor = NULL;
lsaOA.SecurityQualityOfService = &sqos;
nts = LsaOpenPolicy(
NULL, // NULL = current machine.
&lsaOA,
POLICY_VIEW_LOCAL_INFORMATION | GENERIC_READ | GENERIC_EXECUTE |
POLICY_ALL_ACCESS,
&polHandle);
if (nts != 0) return -1;
nts = LsaQueryInformationPolicy(
polHandle,
PolicyAuditEventsInformation,
&ppadi);
if (nts != 0) return -1;
if ( forceAuditOn )
{
// set policies
ppadi->DomainName.Buffer[0] = 3; // restart_shutdown_and_system
ppadi->DomainName.Buffer[2] = 3; // logon_and_logoff
ppadi->DomainName.Buffer[4] = 3; // file_and_object_access
ppadi->DomainName.Buffer[6] = 3; // use_of_user_rights
ppadi->DomainName.Buffer[8] = 3; // process_tracking
ppadi->DomainName.Buffer[10] = 3; // security_policy_changes
ppadi->DomainName.Buffer[12] = 3; // user_and_group_management
ppadi->DomainName.Length = 1;
nts = LsaSetInformationPolicy(
polHandle,
PolicyAuditEventsInformation,
ppadi);
if (nts != 0) return -1;
rc = 1;
}
LsaFreeMemory(polHandle);
return rc;
}
|