fim icon indicating copy to clipboard operation
fim copied to clipboard
verified publisher icon Achiefs

Include Audit data in Windows systems

Open okynos opened this issue 3 years ago • 6 comments

Hello!

In the same way we included Audit daemon information in Linux systems we want to include it in Windows systems.

okynos avatar Jan 11 '23 16:01 okynos

We have been working hard to understand how the Windows API crate works. Finally, we have found a way to retrieve and parse audit system events from the security channel. Will include it in FIM soon. Stay tuned! 🎉

okynos avatar Feb 06 '23 16:02 okynos

There are many ways on windows

  1. One needs to define the local audit policies, like Auditd configuration. It can be done either via local policies or group policies. After that you can just read, filter and parse Windows event log. There is a rust crate for event log. More than one actually.
  2. You can make use of the NTFS filesystem's abilities by getting indexes and changes. At that point, it becomes a change data capture thing. There is an ntfs crate by Colin Finck, one of the developers of ReactOS.
  3. You can make use of windows::Win32::Storage::FileSystem::ReadDirectoryChangesW unsafe methor or any wrappers around it.
  4. You can add a dependency to https://github.com/notify-rs/notify library and let it do its job.

zbalkan avatar Apr 29 '24 11:04 zbalkan

Thanks for the tip @zbalkan Currently, FIM uses Notify crate as the core to build something bigger. As far as I know, Notify doesn't support Windows Audit rules and information. I developed a way to capture Windows Audit data form Event Log but it's unstable by now.

In any case, I will review the points you mentioned.

okynos avatar Apr 29 '24 11:04 okynos

Yes, notify also makes use of ReadDirectoryChangesW. For event logs, there are many tools globally but it is a new area for rust. I am sorry if it sounded like an unsolicited advice.

zbalkan avatar Apr 29 '24 12:04 zbalkan

2 years ago, I decided to create my own FIM yet at one point I lost interest. But it just works. The code is more or less readable. https://github.com/zbalkan/IntegrityService

It is built for Windows and using Windows instruments: registry as local configuration source, Group Policy as central configuration source, event channel as log sink, and NTFS records as source of truth. I used LiteDB, a C# NoSQL database instead of SQLite, as it provides a light ORM itself via the library, no SQL commands.

Maybe it would give some inspiration.

zbalkan avatar Apr 29 '24 20:04 zbalkan

Awesome! I will take a look, thanks.

okynos avatar Apr 30 '24 05:04 okynos