Open okynos opened 1 year ago
okynos
commented
1 year ago We have been working hard to understand how the Windows API crate works. Finally, we have found a way to retrieve and parse audit system events from the security channel. Will include it in FIM soon. Stay tuned! 🎉
zbalkan
commented
6 months ago There are many ways on windows
ntfs crate by Colin Finck, one of the developers of ReactOS.windows::Win32::Storage::FileSystem::ReadDirectoryChangesW unsafe methor or any wrappers around it.okynos
commented
6 months ago Thanks for the tip @zbalkan Currently, FIM uses Notify crate as the core to build something bigger. As far as I know, Notify doesn't support Windows Audit rules and information. I developed a way to capture Windows Audit data form Event Log but it's unstable by now.
In any case, I will review the points you mentioned.
zbalkan
commented
6 months ago Yes, notify also makes use of ReadDirectoryChangesW. For event logs, there are many tools globally but it is a new area for rust. I am sorry if it sounded like an unsolicited advice.
zbalkan
commented
6 months ago 2 years ago, I decided to create my own FIM yet at one point I lost interest. But it just works. The code is more or less readable. https://github.com/zbalkan/IntegrityService
It is built for Windows and using Windows instruments: registry as local configuration source, Group Policy as central configuration source, event channel as log sink, and NTFS records as source of truth. I used LiteDB, a C# NoSQL database instead of SQLite, as it provides a light ORM itself via the library, no SQL commands.
Maybe it would give some inspiration.
okynos
commented
6 months ago Awesome! I will take a look, thanks.
Hello!
In the same way we included Audit daemon information in Linux systems we want to include it in Windows systems.