Q> Как включить/выключить аудит?
A>

#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#pragma hdrstop

// This code was kindly provided by Marc Esipovich, marc@mucom.co.il.
// The original filename was "isauditon.c".
// Modifications by felixk:
// IsAuditOn() now accepts a BOOL; if FALSE, the code will
// _not_ force the audit settings to ON.
// Changed return type to int, as it may return 0, 1, -1.
// Added a small main() to call IsAuditOn(FALSE).

/*

RETURNS: 1 if Auditing has been enabled, 0 if no action taken, -1 on error.

COMMENT: Automatically enables all audit policy events.

Values are, 0 for no log at all, 1 for success only, 2 for failure only,
3 for both success and failure.

typedef struct _POLICY_BUFFER {
DWORD IsAuditEnabled; // 1 = ON, 0 = OFF.
PVOID pPolicies; // pointer to the start policy struct.

DWORD restart_shutdown_and_system;
DWORD junk1;
DWORD logon_and_logoff;
DWORD junk2;
DWORD file_and_object_access;
DWORD junk3;
DWORD use_of_user_rights;
DWORD junk4;
DWORD process_tracking;
DWORD junk5;
DWORD security_policy_changes;
DWORD junk6;
DWORD user_and_group_management;
DWORD junk7;
} POLICY_BUFFER, *PPOLICY_BUFFER;
*/

int IsAuditOn( BOOL forceAuditOn )
{
int rc = 0;
POLICY_ACCOUNT_DOMAIN_INFO *ppadi = NULL;
SECURITY_QUALITY_OF_SERVICE sqos;
LSA_OBJECT_ATTRIBUTES lsaOA;
LSA_HANDLE polHandle;

NTSTATUS nts;


// fill the Quality Of Service struct.
sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
sqos.ImpersonationLevel = SecurityImpersonation;
sqos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
sqos.EffectiveOnly = FALSE;

// fill the Object Attributes struct.
lsaOA.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
lsaOA.RootDirectory = NULL;
lsaOA.ObjectName = NULL;
lsaOA.Attributes = 0;
lsaOA.SecurityDescriptor = NULL;
lsaOA.SecurityQualityOfService = &sqos;

nts = LsaOpenPolicy(
NULL, // NULL = current machine.
&lsaOA,
POLICY_VIEW_LOCAL_INFORMATION | GENERIC_READ | GENERIC_EXECUTE |
POLICY_ALL_ACCESS,
&polHandle);
if (nts != 0) return -1;


nts = LsaQueryInformationPolicy(
polHandle,
PolicyAuditEventsInformation,
&ppadi);
if (nts != 0) return -1;

if ( forceAuditOn )
{
// set policies
ppadi->DomainName.Buffer[0] = 3; // restart_shutdown_and_system
ppadi->DomainName.Buffer[2] = 3; // logon_and_logoff
ppadi->DomainName.Buffer[4] = 3; // file_and_object_access
ppadi->DomainName.Buffer[6] = 3; // use_of_user_rights
ppadi->DomainName.Buffer[8] = 3; // process_tracking
ppadi->DomainName.Buffer[10] = 3; // security_policy_changes
ppadi->DomainName.Buffer[12] = 3; // user_and_group_management

ppadi->DomainName.Length = 1;

nts = LsaSetInformationPolicy(
polHandle,
PolicyAuditEventsInformation,
ppadi);
if (nts != 0) return -1;
rc = 1;
}

LsaFreeMemory(polHandle);

return rc;
}


int main( void )
{
int rc;

rc = IsAuditOn( FALSE );

if ( rc == 1 )
puts( "Auditing has been enabled." );
else if ( rc == 0 )
puts( "The audit state is unchanged." );
else
puts( "Oops!" );

return 0;
}


Рейтинг@Mail.ru be number one Submitter.ru - Promoting!
Хостинг от uCoz