利用 secedit.exe 配置本地审核策略
效果图:
代码(samtool.bat):
@echo off
if {%1} == {} goto :help
if {%2} == {} goto :help
if exist samtool.sdb erase samtool.sdb /q
if exist samtool.inf erase samtool.inf /q
if exist samtool.log erase samtool.log /q
if {%1} == {-b} secedit /export /cfg %2 /log samtool.log /quiet
if {%1} == {-r} secedit /configure /db samtool.sdb /cfg %2 /log samtool.log /quiet
if {%1} == {-o} (
if {%4} == {} goto :help
if not {%3} == {-p} goto :help
echo %4 | findstr "[0-3]" >nul || goto :help
rem pushd %windir%\system32\
echo.[version] >>samtool.inf
echo.signature="$chicago$" >>samtool.inf
echo.[event audit] >>samtool.inf
echo.%2 | findstr "d" >nul && echo.auditdsaccess=%4 >>samtool.inf
echo.%2 | findstr "e" >nul && echo.auditlogonevents=%4 >>samtool.inf
echo.%2 | findstr "s" >nul && echo.auditsystemevents=%4 >>samtool.inf
echo.%2 | findstr "o" >nul && echo.auditobjectaccess=%4 >>samtool.inf
echo.%2 | findstr "u" >nul && echo.auditprivilegeuse=%4 >>samtool.inf
echo.%2 | findstr "c" >nul && echo.auditpolicychange=%4 >>samtool.inf
echo.%2 | findstr "l" >nul && echo.auditaccountlogon=%4 >>samtool.inf
echo.%2 | findstr "m" >nul && echo.auditaccountmanage=%4 >>samtool.inf
echo.%2 | findstr "p" >nul && echo.auditprocesstracking=%4 >>samtool.inf
if {%2} == {a} (
echo.auditdsaccess=%4 >>samtool.inf
echo.auditlogonevents=%4 >>samtool.inf
echo.auditsystemevents=%4 >>samtool.inf
echo.auditobjectaccess=%4 >>samtool.inf
echo.auditprivilegeuse=%4 >>samtool.inf
echo.auditpolicychange=%4 >>samtool.inf
echo.auditaccountlogon=%4 >>samtool.inf
echo.auditaccountmanage=%4 >>samtool.inf
echo.auditprocesstracking=%4 >>samtool.inf
)
secedit /configure /db samtool.sdb /cfg samtool.inf /log samtool.log /quiet
)
if {%3} == {-v} type samtool.log
if {%5} == {-v} type samtool.log
if exist samtool.sdb erase samtool.sdb /q
if exist samtool.inf erase samtool.inf /q
if exist samtool.log erase samtool.log /q
exit /b
:help
cls
echo.system audit strategy manage tool. (c) copyright 2013 enun-net.
echo.
echo.usage: samtool -b^|r [drive:][path][filename] -o options -p parameters -v
echo.
echo. -b backup the current configuration, specifies an inf file.
echo. -r from an inf file recovery configuration.
echo. -o options^(support multiple^):
echo. d: directory service access
echo. e: logon events
echo. s: system events
echo. o: object access
echo. u: privilege use
echo. c: policy change
echo. l: account logon
echo. m: account manage
echo. p: process tracking
echo. a: all audit
echo. -p parameters:
echo. 0: don't audit
echo. 1: only audit successful
echo. 2: only audit failure
echo. 3: all audit ^(successful and failure^)
echo. -v detailed results.
echo.
echo.example: samtool -o ec -p 0 -v
echo. samtool -b c:\myconfig.inf -v
exit /b
例如:samtool -o ec -p 1 -v ,配置审核策略为:审核策略更改(成功),审核登录事件(成功),并显示较详细的输出。
原文:https://www.enun.net/?p=2339
下一篇: 秒用自动关机命令实现定时提醒你该睡觉了