开发者

Is there an API to remotely read a Windows machine's audit configuration?

I need to know, for each subcategory, whether it'll be audited on success, on failure, both, or none. This information is available locally via AuditEnumerateSubCategories, however there does not appear to be a means to access this same information remotely. Below is an example of the information I need to collect.

Can I get this through WMI? Or if not, by other means, assuming I have proper (admin) credentials to the target machine?

Again, to clarify, it's not the event log I need to read, it's the logging configuration.

  <security_state_change>AUDIT_SUCCESS</security_state_change>
  <security_system_extension>AUDIT_NONE</security_system_extension>
  <system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
  <ipsec_driver>AUDIT_NONE</ipsec_driver>
  <other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
  <logon>AUDIT_SUCCESS</logon>
  <logoff>AUDIT_SUCCESS</logoff>
  <account_lockout>AUDIT_SUCCESS</account_lockout>
  <ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
  <ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
  <ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
  <special_logon>AUDIT_SUCCESS</special_logon>
  <other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
  <file_system>AUDIT_NONE</file_system>
  <registry>AUDIT_NONE</registry>
  <kernel_object>AUDIT_NONE</kernel_object>
  <sam>AUDIT_NONE</sam>
  <certification_services>AUDIT_NONE</certification_services>
  <application_generated>AUDIT_NONE</application_generated>
  <handle_manipulation>AUDIT_NONE</handle_manipulation>
  <file_share>AUDIT_NONE</file_share>
  <filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
  <filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
  <other_object_access_events>AUDIT_NONE</other_object_access_events>
  <sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
  <non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
  <other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
  <process_creation>AUDIT_NONE</process_creation>
  <process_termination>AUDIT_NONE</process_termination>
  <dpapi_activity>AUDIT_NONE</dpapi_activity>
  <rpc_events>AUDIT_NONE</rpc_events>
  <audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
  <authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
  <authorization_policy_change>AUDIT_NONE</authorization_policy_change>
  <mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
  <filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
  <other_policy_change_events>AUDIT_NONE</other_policy_change_events>
  <user_account_management>AUDIT_SUCCESS</user_account_management>
  <computer_account_management>AUDIT_NONE</computer_account_management>
  <security_group_management>AUDIT_SUCCESS</security_group_management>
  <distribution_group_management>AUDIT_NONE</distribution_group_management>
  <application_group_management>AUDIT_NONE</application_group_management>
  <other_account_management_events>AUDIT_NONE</other_account_management_events>
  <directory_service_access>AUDIT_NONE</directory_service_access>
  <directory_service_changes>AUDIT_NONE</directory_service_changes>
  <directory_service_r开发者_如何学Goeplication>AUDIT_NONE</directory_service_replication>
  <detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
  <credential_validation>AUDIT_NONE</credential_validation>
  <kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
  <other_account_logon_events>AUDIT_NONE</other_account_logon_events>


A few suggestions for you to look into are:

The RSOP_AuditPolicy WMI class - It provides access to the settings related to auditing various types of events. One caveat, which may not be an issue for you, is that it is only supported on Windows XP and higher.

LSA Policy Functions - A set of Windows API functions that allow you to query policy information, including auditing, on a local or remote machine. The LsaQueryInformationPolicy function will be of interest.

Audit Policy Functions - They are only available in Windows Vista and higher. See this Code Project article for more information.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜