8. FAQ o Win API

Q> How to include/ungear audit? 
A> 

#include <windows.h> 
#include <stdio.h> 
#include <ntsecapi.h> 
#pragma hdrstop 

//This code was kindly provided by Marc Esipovich, marc@mucom.co.il. 
//The original filename was "isauditon.c". 
//Modifications by felixk: 
//IsAuditOn () now accepts a BOOL; if FALSE, the code will 
//_not_ force the audit settings to ON. 
//Changed return type to int, as it may return 0, 1,-1. 
//Added a small main () to call IsAuditOn (FALSE). 

/* 

 RETURNS: 1 if Auditing has been enabled, 0 if no action taken,-1 on error. 

 COMMENT: Automatically enables all audit policy events. 

 Values are, 0 for no log at all, 1 for success only, 2 for failure only, 
 3 for both success and failure. 

typedef struct _POLICY_BUFFER { 
 DWORD IsAuditEnabled;//1 = ON, 0 = OFF. 
 PVOID pPolicies;//pointer to the start policy struct. 

 DWORD restart_shutdown_and_system; 
 DWORD junk1; 
 DWORD logon_and_logoff; 
 DWORD junk2; 
 DWORD file_and_object_access; 
 DWORD junk3; 
 DWORD use_of_user_rights; 
 DWORD junk4; 
 DWORD process_tracking; 
 DWORD junk5; 
 DWORD security_policy_changes; 
 DWORD junk6; 
 DWORD user_and_group_management; 
 DWORD junk7; 
} POLICY_BUFFER, *PPOLICY_BUFFER; 
*/ 

int IsAuditOn (BOOL forceAuditOn) 
{ 
 int rc = 0; 
 POLICY_ACCOUNT_DOMAIN_INFO *ppadi = NULL; 
 SECURITY_QUALITY_OF_SERVICE sqos; 
 LSA_OBJECT_ATTRIBUTES lsaOA; 
 LSA_HANDLE polHandle; 

 NTSTATUS nts; 


 //fill the Quality Of Service struct. 
 sqos. Length = sizeof (SECURITY_QUALITY_OF_SERVICE); 
 sqos. ImpersonationLevel = SecurityImpersonation; 
 sqos. ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; 
 sqos. EffectiveOnly = FALSE; 

 //fill the Object Attributes struct. 
 lsaOA.Length = sizeof (LSA_OBJECT_ATTRIBUTES); 
 lsaOA.RootDirectory = NULL; 
 lsaOA.ObjectName = NULL; 
 lsaOA.Attributes = 0; 
 lsaOA.SecurityDescriptor = NULL; 
 lsaOA.SecurityQualityOfService = &sqos; 

 nts = LsaOpenPolicy ( 
 NULL,//NULL = current machine. 
 &lsaOA, 
 POLICY_VIEW_LOCAL_INFORMATION | GENERIC_READ | GENERIC_EXECUTE | 
POLICY_ALL_ACCESS, 
 &polHandle); 
 if (nts! = 0) return-1; 


 nts = LsaQueryInformationPolicy ( 
 polHandle, 
 PolicyAuditEventsInformation, 
 &ppadi); 
 if (nts! = 0) return-1; 

 if (forceAuditOn) 
 { 
 //set policies 
 ppadi-> DomainName. Buffer [0] = 3;//restart_shutdown_and_system 
 ppadi-> DomainName. Buffer [2] = 3;//logon_and_logoff 
 ppadi-> DomainName. Buffer [4] = 3;//file_and_object_access 
 ppadi-> DomainName. Buffer [6] = 3;//use_of_user_rights 
 ppadi-> DomainName. Buffer [8] = 3;//process_tracking 
 ppadi-> DomainName. Buffer [10] = 3;//security_policy_changes 
 ppadi-> DomainName. Buffer [12] = 3;//user_and_group_management 

 ppadi-> DomainName. Length = 1; 

 nts = LsaSetInformationPolicy ( 
 polHandle, 
 PolicyAuditEventsInformation, 
 ppadi); 
 if (nts! = 0) return-1; 
 rc = 1; 
 }

 LsaFreeMemory (polHandle); 

 return rc; 
}


int main (void) 
{ 
 int rc; 

 rc = IsAuditOn (FALSE); 

 if (rc == 1) 
 puts ("Auditing has been enabled."); 
 else if (rc == 0) 
 puts ("The audit state is unchanged."); 
 else 
 puts ("Oops!"); 

 return 0; 
}