Initial commit of Audit Windows development, still pre-alpha

Achiefs · Nov 27, 2024 · 9a73360 · 9a73360
1 parent 87eb4a5
commit 9a73360
Show file tree

Hide file tree

Showing 10 changed files with 1,266 additions and 59 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,11 +32,27 @@ features = ["std"]
 
 [target.'cfg(windows)'.dependencies]
 windows-service = "0.7.0"
+windows-core = "0.58.0"
 zip = "1.1.2"
+minidom = "0.15.2"
+
 
 [target.'cfg(unix)'.dependencies]
 flate2 = "1.0.27"
 tar = "0.4.40"
 
 [dev-dependencies]
 tokio-test = "*"
+
+[dependencies.windows]
+version = "0.58.0"
+features = [
+    "Win32_Foundation",
+    "Win32_System_EventLog",
+    "Win32_System_SystemServices",
+    "Win32_Security",
+    "Win32_Security_Authorization",
+    "Win32_System_Threading",
+    "Win32_UI_WindowsAndMessaging",
+    "Win32_Storage_FileSystem"
+]
diff --git a/config/index_template.json b/config/index_template.json
@@ -60,7 +60,25 @@
       "source": { "type": "keyword" },
       "parent_id": { "type": "keyword" },
       "message": { "type": "keyword" },
-      "rule": { "type": "keyword" }
+      "rule": { "type": "keyword" },
+      "operations": { "type": "keyword" },
+      "subject_user_sid": { "type": "keyword" },
+      "subject_user_name": { "type": "keyword" },
+      "subject_domain_name": { "type": "keyword" },
+      "subject_logon_id": { "type": "keyword" },
+      "object_server": { "type": "keyword" },
+      "object_type": { "type": "keyword" },
+      "object_name": { "type": "keyword" },
+      "handle_id": { "type": "keyword" },
+      "transaction_id": { "type": "keyword" },
+      "access_list": { "type": "keyword" },
+      "access_reason": { "type": "keyword" },
+      "access_mask": { "type": "keyword" },
+      "privilege_list": { "type": "keyword" },
+      "restricted_sid_count": { "type": "keyword" },
+      "process_id": { "type": "keyword" },
+      "process_name": { "type": "keyword" },
+      "resource_attributes": { "type": "keyword" }
     }
   },
   "settings": {
@@ -126,7 +144,25 @@
           "source",
           "parent_id",
           "message",
-          "rule"
+          "rule",
+          "operations",
+          "subject_user_sid",
+          "subject_user_name",
+          "subject_domain_name",
+          "subject_logon_id",
+          "object_server",
+          "object_type",
+          "object_name",
+          "handle_id",
+          "transaction_id",
+          "access_list",
+          "access_reason",
+          "access_mask",
+          "privilege_list",
+          "restricted_sid_count",
+          "process_id",
+          "process_name",
+          "resource_attributes"
         ]
       }
     }

diff --git a/src/appconfig.rs b/src/appconfig.rs
@@ -333,7 +333,7 @@ impl AppConfig {
     // ------------------------------------------------------------------------
 
     pub fn get_index(&self, raw_path: &str, cwd: &str, array: Array) -> usize {
-        // Iterate over monitoring paths to match ignore string and ignore event or not
+        // Iterate over monitoring paths to match the event path.
         match array.iter().position(|it| {
             if !cwd.is_empty() && (raw_path.starts_with("./") || raw_path == "." || !raw_path.contains('/')) {
                 utils::match_path(cwd, it["path"].as_str().unwrap())
@@ -406,12 +406,12 @@ impl AppConfig {
         let mut integrations: Vec<Integration> = Vec::new();
         data.iter().for_each(|info|
             integrations.push(Integration::new(
-                String::from(info["name"].as_str().unwrap()), 
+                String::from(info["name"].as_str().unwrap()),
                 info["condition"]
-                    .clone().into_vec().unwrap().iter().map(|element| 
-                        String::from(element.as_str().unwrap()) ).collect(), 
-                String::from(info["binary"].as_str().unwrap()), 
-                String::from(info["script"].as_str().unwrap()), 
+                    .clone().into_vec().unwrap().iter().map(|element|
+                        String::from(element.as_str().unwrap()) ).collect(),
+                String::from(info["binary"].as_str().unwrap()),
+                String::from(info["script"].as_str().unwrap()),
                 String::from(info["parameters"].as_str().unwrap()) ))
         );
         integrations
@@ -501,7 +501,7 @@ pub fn get_config_path(system: &str) -> String {
             String::from(CONFIG_MACOS_PATH)
         }else{
             String::from(CONFIG_LINUX_PATH)
-        } 
+        }
     }
 }
 

diff --git a/src/main.rs b/src/main.rs
@@ -21,6 +21,7 @@ mod index;
 // Single event data management
 mod event;
 mod monitorevent;
+mod winevent;
 mod ruleevent;
 // File reading continuously
 mod logreader;
@@ -36,6 +37,8 @@ mod launcher;
 mod multiwatcher;
 mod rotator;
 mod init;
+mod wineventsubscriber;
+mod winhandler;
 
 // ----------------------------------------------------------------------------