Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include Audit data in Windows systems #82

Open
okynos opened this issue Jan 11, 2023 · 6 comments
Open

Include Audit data in Windows systems #82

okynos opened this issue Jan 11, 2023 · 6 comments
Assignees
@okynos
Labels
enhancement New feature or request

Comments

@okynos
Copy link
Member

okynos commented Jan 11, 2023

Hello!

In the same way we included Audit daemon information in Linux systems we want to include it in Windows systems.
@okynos okynos added the enhancement New feature or request label Jan 11, 2023
@okynos okynos self-assigned this Jan 11, 2023
@okynos
Copy link
Member Author

okynos commented Feb 6, 2023

We have been working hard to understand how the Windows API crate works.
Finally, we have found a way to retrieve and parse audit system events from the security channel.
Will include it in FIM soon. Stay tuned! 🎉

@okynos okynos mentioned this issue Feb 16, 2023
Closed
@zbalkan
Copy link

zbalkan commented Apr 29, 2024

There are many ways on windows

  1. One needs to define the local audit policies, like Auditd configuration. It can be done either via local policies or group policies. After that you can just read, filter and parse Windows event log. There is a rust crate for event log. More than one actually.
  2. You can make use of the NTFS filesystem's abilities by getting indexes and changes. At that point, it becomes a change data capture thing. There is an ntfs crate by Colin Finck, one of the developers of ReactOS.
  3. You can make use of windows::Win32::Storage::FileSystem::ReadDirectoryChangesW unsafe methor or any wrappers around it.
  4. You can add a dependency to https://github.com/notify-rs/notify library and let it do its job.

@okynos
Copy link
Member Author

okynos commented Apr 29, 2024

Thanks for the tip @zbalkan
Currently, FIM uses Notify crate as the core to build something bigger.
As far as I know, Notify doesn't support Windows Audit rules and information. I developed a way to capture Windows Audit data form Event Log but it's unstable by now.

In any case, I will review the points you mentioned.

@zbalkan
Copy link

zbalkan commented Apr 29, 2024

Yes, notify also makes use of ReadDirectoryChangesW. For event logs, there are many tools globally but it is a new area for rust. I am sorry if it sounded like an unsolicited advice.

@zbalkan
Copy link

zbalkan commented Apr 29, 2024
edited
Loading

2 years ago, I decided to create my own FIM yet at one point I lost interest. But it just works. The code is more or less readable. https://github.com/zbalkan/IntegrityService

It is built for Windows and using Windows instruments: registry as local configuration source, Group Policy as central configuration source, event channel as log sink, and NTFS records as source of truth. I used LiteDB, a C# NoSQL database instead of SQLite, as it provides a light ORM itself via the library, no SQL commands.

Maybe it would give some inspiration.

@okynos
Copy link
Member Author

okynos commented Apr 30, 2024

Awesome! I will take a look, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@okynos okynos

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@okynos @zbalkan