1

我需要知道,对于每个子类别,是否会对成功、失败、两者都进行审计,或者不进行审计。此信息可通过AuditEnumerateSubCategories在本地获得,但似乎没有远程访问相同信息的方法。以下是我需要收集的信息的示例。

我可以通过 WMI 获得这个吗?或者如果没有,通过其他方式,假设我有目标机器的正确(管理员)凭据?

再次澄清一下,我需要阅读的不是事件日志,而是日志配置。

  <security_state_change>AUDIT_SUCCESS</security_state_change>
  <security_system_extension>AUDIT_NONE</security_system_extension>
  <system_integrity>AUDIT_SUCCESS_FAILURE</system_integrity>
  <ipsec_driver>AUDIT_NONE</ipsec_driver>
  <other_system_events>AUDIT_SUCCESS_FAILURE</other_system_events>
  <logon>AUDIT_SUCCESS</logon>
  <logoff>AUDIT_SUCCESS</logoff>
  <account_lockout>AUDIT_SUCCESS</account_lockout>
  <ipsec_main_mode>AUDIT_NONE</ipsec_main_mode>
  <ipsec_quick_mode>AUDIT_NONE</ipsec_quick_mode>
  <ipsec_extended_mode>AUDIT_NONE</ipsec_extended_mode>
  <special_logon>AUDIT_SUCCESS</special_logon>
  <other_logon_logoff_events>AUDIT_NONE</other_logon_logoff_events>
  <file_system>AUDIT_NONE</file_system>
  <registry>AUDIT_NONE</registry>
  <kernel_object>AUDIT_NONE</kernel_object>
  <sam>AUDIT_NONE</sam>
  <certification_services>AUDIT_NONE</certification_services>
  <application_generated>AUDIT_NONE</application_generated>
  <handle_manipulation>AUDIT_NONE</handle_manipulation>
  <file_share>AUDIT_NONE</file_share>
  <filtering_platform_packet_drop>AUDIT_NONE</filtering_platform_packet_drop>
  <filtering_platform_connection>AUDIT_NONE</filtering_platform_connection>
  <other_object_access_events>AUDIT_NONE</other_object_access_events>
  <sensitive_privilege_use>AUDIT_NONE</sensitive_privilege_use>
  <non_sensitive_privlege_use>AUDIT_NONE</non_sensitive_privlege_use>
  <other_privlege_use_events>AUDIT_NONE</other_privlege_use_events>
  <process_creation>AUDIT_NONE</process_creation>
  <process_termination>AUDIT_NONE</process_termination>
  <dpapi_activity>AUDIT_NONE</dpapi_activity>
  <rpc_events>AUDIT_NONE</rpc_events>
  <audit_policy_change>AUDIT_SUCCESS</audit_policy_change>
  <authentication_policy_change>AUDIT_SUCCESS</authentication_policy_change>
  <authorization_policy_change>AUDIT_NONE</authorization_policy_change>
  <mpssvc_rule_level_policy_change>AUDIT_NONE</mpssvc_rule_level_policy_change>
  <filtering_platform_policy_change>AUDIT_NONE</filtering_platform_policy_change>
  <other_policy_change_events>AUDIT_NONE</other_policy_change_events>
  <user_account_management>AUDIT_SUCCESS</user_account_management>
  <computer_account_management>AUDIT_NONE</computer_account_management>
  <security_group_management>AUDIT_SUCCESS</security_group_management>
  <distribution_group_management>AUDIT_NONE</distribution_group_management>
  <application_group_management>AUDIT_NONE</application_group_management>
  <other_account_management_events>AUDIT_NONE</other_account_management_events>
  <directory_service_access>AUDIT_NONE</directory_service_access>
  <directory_service_changes>AUDIT_NONE</directory_service_changes>
  <directory_service_replication>AUDIT_NONE</directory_service_replication>
  <detailed_directory_service_replication>AUDIT_NONE</detailed_directory_service_replication>
  <credential_validation>AUDIT_NONE</credential_validation>
  <kerberos_ticket_events>AUDIT_NONE</kerberos_ticket_events>
  <other_account_logon_events>AUDIT_NONE</other_account_logon_events>
4

1 回答 1

2

一些建议供您研究:

RSOP_AuditPolicy WMI 类 - 它提供对与审核各种类型事件相关的设置的访问一个对您来说可能不是问题的警告是,它仅在 Windows XP 和更高版本上受支持。

LSA 策略函数- 一组 Windows API 函数,允许您在本地或远程计算机上查询策略信息,包括审核。LsaQueryInformationPolicy函数会很有趣

审核策略功能- 它们仅在 Windows Vista 和更高版本中可用。有关更多信息,请参阅此代码项目文章

于 2010-05-26T04:27:39.210 回答