是否有 API 可以远程读取 Windows 计算机的审核配置?
我需要知道,对于每个子类别,是否会在成功、失败、两者都进行审核或不进行审核。此信息可通过 本地获取AuditEnumerateSubCategories,但是似乎没有办法远程访问相同的信息。以下是我需要收集的信息的示例。
我可以通过 WMI 获取它吗?或者如果没有,通过其他方式,假设我有目标机器的正确(管理员)凭据?
再次澄清一下,我需要阅读的不是事件日志,而是日志记录配置。
<security_state_change>AUDIT_SUCCESS</security_state_change>
<security_system_extension>AUDIT_NONE</security_system_extension>
<system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
<ipsec_driver>AUDIT_NONE</ipsec_driver>
<other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
<logon>AUDIT_SUCCESS</logon>
<logoff>AUDIT_SUCCESS</logoff>
<account_lockout>AUDIT_SUCCESS</account_lockout>
<ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
<ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
<ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
<special_logon>AUDIT_SUCCESS</special_logon>
<other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
<file_system>AUDIT_NONE</file_system>
<registry>AUDIT_NONE</registry>
<kernel_object>AUDIT_NONE</kernel_object>
<sam>AUDIT_NONE</sam>
<certification_services>AUDIT_NONE</certification_services>
<application_generated>AUDIT_NONE</application_generated>
<handle_manipulation>AUDIT_NONE</handle_manipulation>
<file_share>AUDIT_NONE</file_share>
<filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
<filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
<other_object_access_events>AUDIT_NONE</other_object_access_events>
<sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
<non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
<other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
<process_creation>AUDIT_NONE</process_creation>
<process_termination>AUDIT_NONE</process_termination>
<dpapi_activity>AUDIT_NONE</dpapi_activity>
<rpc_events>AUDIT_NONE</rpc_events>
<audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
<authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
<authorization_policy_change>AUDIT_NONE</authorization_policy_change>
<mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
<filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
<other_policy_change_events>AUDIT_NONE</other_policy_change_events>
<user_account_management>AUDIT_SUCCESS</user_account_management>
<computer_account_management>AUDIT_NONE</computer_account_management>
<security_group_management>AUDIT_SUCCESS</security_group_management>
<distribution_group_management>AUDIT_NONE</distribution_group_management>
<application_group_management>AUDIT_NONE</application_group_management>
<other_account_management_events>AUDIT_NONE</other_account_management_events>
<directory_service_access>AUDIT_NONE</directory_service_access>
<directory_service_changes>AUDIT_NONE</directory_service_changes>
<directory_service_replication>AUDIT_NONE</directory_service_replication>
<detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
<credential_validation>AUDIT_NONE</credential_validation>
<kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
<other_account_logon_events>AUDIT_NONE</other_account_logon_events>
I need to know, for each subcategory, whether it'll be audited on success, on failure, both, or none. This information is available locally via AuditEnumerateSubCategories, however there does not appear to be a means to access this same information remotely. Below is an example of the information I need to collect.
Can I get this through WMI? Or if not, by other means, assuming I have proper (admin) credentials to the target machine?
Again, to clarify, it's not the event log I need to read, it's the logging configuration.
<security_state_change>AUDIT_SUCCESS</security_state_change>
<security_system_extension>AUDIT_NONE</security_system_extension>
<system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
<ipsec_driver>AUDIT_NONE</ipsec_driver>
<other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
<logon>AUDIT_SUCCESS</logon>
<logoff>AUDIT_SUCCESS</logoff>
<account_lockout>AUDIT_SUCCESS</account_lockout>
<ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
<ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
<ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
<special_logon>AUDIT_SUCCESS</special_logon>
<other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
<file_system>AUDIT_NONE</file_system>
<registry>AUDIT_NONE</registry>
<kernel_object>AUDIT_NONE</kernel_object>
<sam>AUDIT_NONE</sam>
<certification_services>AUDIT_NONE</certification_services>
<application_generated>AUDIT_NONE</application_generated>
<handle_manipulation>AUDIT_NONE</handle_manipulation>
<file_share>AUDIT_NONE</file_share>
<filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
<filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
<other_object_access_events>AUDIT_NONE</other_object_access_events>
<sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
<non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
<other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
<process_creation>AUDIT_NONE</process_creation>
<process_termination>AUDIT_NONE</process_termination>
<dpapi_activity>AUDIT_NONE</dpapi_activity>
<rpc_events>AUDIT_NONE</rpc_events>
<audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
<authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
<authorization_policy_change>AUDIT_NONE</authorization_policy_change>
<mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
<filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
<other_policy_change_events>AUDIT_NONE</other_policy_change_events>
<user_account_management>AUDIT_SUCCESS</user_account_management>
<computer_account_management>AUDIT_NONE</computer_account_management>
<security_group_management>AUDIT_SUCCESS</security_group_management>
<distribution_group_management>AUDIT_NONE</distribution_group_management>
<application_group_management>AUDIT_NONE</application_group_management>
<other_account_management_events>AUDIT_NONE</other_account_management_events>
<directory_service_access>AUDIT_NONE</directory_service_access>
<directory_service_changes>AUDIT_NONE</directory_service_changes>
<directory_service_replication>AUDIT_NONE</directory_service_replication>
<detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
<credential_validation>AUDIT_NONE</credential_validation>
<kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
<other_account_logon_events>AUDIT_NONE</other_account_logon_events>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
供您研究的一些建议是:
RSOP_AuditPolicy WMI 类 - 它提供对与审核各种类型事件相关的设置的访问。需要注意的是,它仅在 Windows XP 及更高版本上受支持,这对您来说可能不是问题。
LSA 策略函数 - 一组 Windows API允许您在本地或远程计算机上查询策略信息(包括审核)的功能。 LsaQueryInformationPolicy 函数将很有趣。
审核策略函数 - 它们只是在 Windows Vista 及更高版本中可用。有关详细信息,请参阅此代码项目文章。
A few suggestions for you to look into are:
The RSOP_AuditPolicy WMI class - It provides access to the settings related to auditing various types of events. One caveat, which may not be an issue for you, is that it is only supported on Windows XP and higher.
LSA Policy Functions - A set of Windows API functions that allow you to query policy information, including auditing, on a local or remote machine. The LsaQueryInformationPolicy function will be of interest.
Audit Policy Functions - They are only available in Windows Vista and higher. See this Code Project article for more information.